valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e274df1b13
SigmaHQ/rules/network/net_wannacry_killswitch_domain.yml
Florian Roth 5197f21ed1 fix: duplicate ID
2020-12-13 18:59:04 +01:00

26 lines
841 B
YAML
Raw Blame History

title: Wannacry Killswitch Domain
id: 3eaf6218-3bed-4d8a-8707-274096f12a18
status: experimental
description: Detects wannacry killswitch domain dns queries
references:
- https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html
author: Mike Wade
date: 2020/09/16
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: dns
detection:
selection:
query:
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
- 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- ''
condition: selection
falsepositives:
- Analyst testing
level: high
Reference in New Issue View Git Blame Copy Permalink