valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
78854b79c4
SigmaHQ/rules/windows/malware/win_mal_wannacry.yml
Florian Roth 970f01f9f2 Renamed file for consistency
2017-11-09 15:43:32 +01:00

68 lines
2.2 KiB
YAML
Raw Blame History

action: global
title: WannaCry Ransomware
description: Detects WannaCry Ransomware Activity
status: experimental
reference:
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
author: Florian Roth
detection:
selection1:
CommandLine:
- '*vssadmin delete shadows*'
- '*icacls * /grant Everyone:F /T /C /Q*'
- '*bcdedit /set {default} recoveryenabled no*'
- '*wbadmin delete catalog -quiet*'
condition: selection1 or selection2
falsepositives:
- Unknown
level: critical
---
# Windows Audit Log
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
# Requires group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 4688
selection2:
# Does not require group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 4688
NewProcessName:
- '*\tasksche.exe'
- '*\mssecsvc.exe'
- '*\taskdl.exe'
- '*\WanaDecryptor*'
- '*\taskhsvc.exe'
- '*\taskse.exe'
- '*\111.exe'
- '*\lhdfrgui.exe'
- '*\diskpart.exe' # Rare, but can be false positive
- '*\linuxnew.exe'
- '*\wannacry.exe'
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection1:
# Requires group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 1
selection2:
# Does not require group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 1
Image:
- '*\tasksche.exe'
- '*\mssecsvc.exe'
- '*\taskdl.exe'
- '*\WanaDecryptor*'
- '*\taskhsvc.exe'
- '*\taskse.exe'
- '*\111.exe'
- '*\lhdfrgui.exe'
- '*\diskpart.exe' # Rare, but can be false positive
- '*\linuxnew.exe'
- '*\wannacry.exe'
Reference in New Issue View Git Blame Copy Permalink