valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 01:15:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
SigmaHQ/wazuh/rules/sigma_win_malware_wannacry.yml
joker2013 50379800f2 123
2020-12-03 01:43:30 +03:00

16 lines
701 B
YAML
Raw Permalink Blame History

alert:
- debug
description: Detects WannaCry ransomware activity
filter:
- query:
query_string:
query: (data.win.eventdata.image.keyword:(*\\tasksche.exe OR *\\mssecsvc.exe OR *\\taskdl.exe OR *\\@WanaDecryptor@* OR *\\WanaDecryptor* OR *\\taskhsvc.exe OR *\\taskse.exe OR *\\111.exe OR *\\lhdfrgui.exe OR *\\diskpart.exe OR *\\linuxnew.exe OR *\\wannacry.exe) OR data.win.eventdata.commandLine.keyword:(*icacls\ *\ \/grant\ Everyone\:F\ \/T\ \/C\ \/Q* OR *bcdedit\ \/set\ \{default\}\ recoveryenabled\ no* OR *wbadmin\ delete\ catalog\ \-quiet* OR *@Please_Read_Me@.txt*))
index: wazuh-alerts-3.x-*
name: 41d40bff-377a-43e2-8e1b-2e543069e079_0
priority: 1
realert:
minutes: 0
type: any
Reference in New Issue View Git Blame Copy Permalink