From 37c637066bce692729e9197f6f8f514df524a5bc Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 12 Oct 2021 20:57:12 +0200 Subject: [PATCH 1/2] add process_creation_conti_cmd_ransomware.yml --- .../process_creation_conti_cmd_ransomware.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml diff --git a/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml b/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml new file mode 100644 index 00000000..461cfb04 --- /dev/null +++ b/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml @@ -0,0 +1,29 @@ +title: Conti Ransomware Execution +id: 689308fc-cfba-4f72-9897-796c1dc61487 +status: experimental +author: frack113 +date: 2021/10/12 +description: Conti ransomware command line ioc +references: + - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ + - https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19 +tags: + - attack.impact + - attack.s0575 + - attack.t1486 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '-m ' + - '-net ' + - '-size ' #size 10 in references + - '-nomutex ' + - '-p \\' + - '$' + condition: selection +falsepositives: + - Unknown should be low +level: critical From 5aa62bd342dd7e60294b1ac89f772a2cff611401 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 12 Oct 2021 21:02:15 +0200 Subject: [PATCH 2/2] fix yml --- .../process_creation_conti_cmd_ransomware.yml | 58 +++++++++---------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml b/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml index 461cfb04..776c4d12 100644 --- a/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml +++ b/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml @@ -1,29 +1,29 @@ -title: Conti Ransomware Execution -id: 689308fc-cfba-4f72-9897-796c1dc61487 -status: experimental -author: frack113 -date: 2021/10/12 -description: Conti ransomware command line ioc -references: - - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ - - https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19 -tags: - - attack.impact - - attack.s0575 - - attack.t1486 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains|all: - - '-m ' - - '-net ' - - '-size ' #size 10 in references - - '-nomutex ' - - '-p \\' - - '$' - condition: selection -falsepositives: - - Unknown should be low -level: critical +title: Conti Ransomware Execution +id: 689308fc-cfba-4f72-9897-796c1dc61487 +status: experimental +author: frack113 +date: 2021/10/12 +description: Conti ransomware command line ioc +references: + - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ + - https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19 +tags: + - attack.impact + - attack.s0575 + - attack.t1486 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '-m ' + - '-net ' + - '-size ' #size 10 in references + - '-nomutex ' + - '-p \\' + - '$' + condition: selection +falsepositives: + - Unknown should be low +level: critical