mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
65 lines
1.8 KiB
YAML
65 lines
1.8 KiB
YAML
title: WannaCry Ransomware
|
|
id: 41d40bff-377a-43e2-8e1b-2e543069e079
|
|
status: experimental
|
|
description: Detects WannaCry ransomware activity
|
|
references:
|
|
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
|
|
author: Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
|
|
date: 2019/01/16
|
|
modified: 2020/09/01
|
|
tags:
|
|
- attack.lateral_movement
|
|
- attack.t1210
|
|
- attack.discovery
|
|
- attack.t1083
|
|
- attack.defense_evasion
|
|
- attack.t1222.001
|
|
- attack.t1222 # an old one
|
|
- attack.impact
|
|
- attack.t1486
|
|
- attack.t1490
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection1:
|
|
- Image|endswith:
|
|
- '\tasksche.exe'
|
|
- '\mssecsvc.exe'
|
|
- '\taskdl.exe'
|
|
- '\taskhsvc.exe'
|
|
- '\taskse.exe'
|
|
- '\111.exe'
|
|
- '\lhdfrgui.exe'
|
|
- '\diskpart.exe'
|
|
- '\linuxnew.exe'
|
|
- '\wannacry.exe'
|
|
- Image|contains: 'WanaDecryptor'
|
|
selection2:
|
|
- CommandLine|contains|all:
|
|
- 'icacls'
|
|
- '/grant'
|
|
- 'Everyone:F'
|
|
- '/T'
|
|
- '/C'
|
|
- '/Q'
|
|
- CommandLine|contains|all:
|
|
- 'bcdedit'
|
|
- '/set'
|
|
- '{default}'
|
|
- 'recoveryenabled'
|
|
- 'no'
|
|
- CommandLine|contains|all:
|
|
- 'wbadmin'
|
|
- 'delete'
|
|
- 'catalog'
|
|
- '-quiet'
|
|
- CommandLine|contains: '@Please_Read_Me@.txt'
|
|
condition: 1 of them
|
|
fields:
|
|
- CommandLine
|
|
- ParentCommandLine
|
|
falsepositives:
|
|
- Diskpart.exe usage to manage partitions on the local hard drive
|
|
level: critical
|