title: Maze Ransomware
id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052
status: experimental
description: Detects specific process characteristics of Maze ransomware word document droppers
references:
    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
    - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/
    - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
author: Florian Roth
date: 2020/05/08
modified: 2020/08/29
tags:
    - attack.execution
    - attack.t1204.002
    - attack.t1204  # an old one
    - attack.t1047
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    # Dropper
    selection1:
        ParentImage|endswith:
            - '\WINWORD.exe'
        Image|endswith:
            - '*.tmp'
    # Binary Execution
    selection2:
        Image|endswith: '\wmic.exe'
        ParentImage|contains: '\Temp\'
        CommandLine|endswith: 'shadowcopy delete'
    # Specific Pattern
    selection3: 
        CommandLine|endswith: 'shadowcopy delete'
        CommandLine|contains: '\..\..\system32'
    condition: 1 of them
fields:
    - ComputerName
    - User
    - Image
falsepositives:
    - Unlikely
level: critical