title: Maze Ransomware id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052 status: experimental description: Detects specific process characteristics of Maze ransomware word document droppers references: - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/ - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/ author: Florian Roth date: 2020/05/08 modified: 2021/06/27 tags: - attack.execution - attack.t1204.002 - attack.t1204 # an old one - attack.t1047 - attack.impact - attack.t1490 logsource: category: process_creation product: windows detection: # Dropper selection1: ParentImage|endswith: - '\WINWORD.exe' Image|endswith: - '.tmp' # Binary Execution selection2: Image|endswith: '\wmic.exe' ParentImage|contains: '\Temp\' CommandLine|endswith: 'shadowcopy delete' # Specific Pattern selection3: CommandLine|endswith: 'shadowcopy delete' CommandLine|contains: '\..\..\system32' condition: 1 of them fields: - ComputerName - User - Image falsepositives: - Unlikely level: critical