action: global title: WannaCry Ransomware description: Detects WannaCry Ransomware Activity status: experimental references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa author: Florian Roth detection: selection1: CommandLine: - '*vssadmin delete shadows*' - '*icacls * /grant Everyone:F /T /C /Q*' - '*bcdedit /set {default} recoveryenabled no*' - '*wbadmin delete catalog -quiet*' condition: 1 of them falsepositives: - Unknown level: critical --- # Windows Audit Log logsource: product: windows service: security description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection1: # Requires group policy 'Audit Process Creation' > Include command line in process creation events EventID: 4688 selection2: # Does not require group policy 'Audit Process Creation' > Include command line in process creation events EventID: 4688 NewProcessName: - '*\tasksche.exe' - '*\mssecsvc.exe' - '*\taskdl.exe' - '*\WanaDecryptor*' - '*\taskhsvc.exe' - '*\taskse.exe' - '*\111.exe' - '*\lhdfrgui.exe' - '*\diskpart.exe' # Rare, but can be false positive - '*\linuxnew.exe' - '*\wannacry.exe' --- # Sysmon logsource: product: windows service: sysmon detection: selection1: # Requires group policy 'Audit Process Creation' > Include command line in process creation events EventID: 1 selection2: # Does not require group policy 'Audit Process Creation' > Include command line in process creation events EventID: 1 Image: - '*\tasksche.exe' - '*\mssecsvc.exe' - '*\taskdl.exe' - '*\WanaDecryptor*' - '*\taskhsvc.exe' - '*\taskse.exe' - '*\111.exe' - '*\lhdfrgui.exe' - '*\diskpart.exe' # Rare, but can be false positive - '*\linuxnew.exe' - '*\wannacry.exe'