mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 01:45:21 +00:00
46 lines
2.0 KiB
YAML
46 lines
2.0 KiB
YAML
title: REvil Kaseya Incident Malware Patterns
|
|
id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5
|
|
status: experimental
|
|
description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
|
|
references:
|
|
- https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
|
|
- https://www.joesandbox.com/analysis/443736/0/html
|
|
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
|
|
- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
|
|
- https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
|
|
author: Florian Roth
|
|
date: 2021/07/03
|
|
modified: 2021/07/05
|
|
tags:
|
|
- attack.execution
|
|
- attack.g0115
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection1:
|
|
CommandLine|contains:
|
|
- 'C:\Windows\cert.exe'
|
|
- 'Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled'
|
|
- 'del /q /f c:\kworking\agent.crt'
|
|
- 'Kaseya VSA Agent Hot-fix'
|
|
- '\AppData\Local\Temp\MsMpEng.exe'
|
|
- 'rmdir /s /q %SystemDrive%\inetpub\logs'
|
|
- 'del /s /q /f %SystemDrive%\\*.log'
|
|
- 'c:\kworking1\agent.exe'
|
|
- 'c:\kworking1\agent.crt'
|
|
selection2:
|
|
Image:
|
|
- 'C:\Windows\MsMpEng.exe'
|
|
- 'C:\Windows\cert.exe'
|
|
- 'C:\kworking\agent.exe'
|
|
- 'C:\kworking1\agent.exe'
|
|
selection3:
|
|
CommandLine|contains|all:
|
|
- 'del /s /q /f'
|
|
- 'WebPages\Errors\webErrorLog.txt'
|
|
condition: selection1 and selection2
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|