rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml

title: WannaCry Ransomware Activity
id: 41d40bff-377a-43e2-8e1b-2e543069e079
status: test
description: Detects WannaCry ransomware activity
references:
    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
    - https://x.com/nas_bench/status/1868639048484425963
author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
date: 2019-01-16
modified: 2025-10-18
tags:
    - attack.lateral-movement
    - attack.defense-impairment
    - attack.t1210
    - attack.discovery
    - attack.t1083
    - attack.t1222.001
    - attack.impact
    - attack.t1486
    - attack.t1490
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\tasksche.exe'
              - '\mssecsvc.exe'
              - '\taskdl.exe'
              - '\taskhsvc.exe'
              - '\taskse.exe'
              - '\111.exe'
              - '\lhdfrgui.exe'
              # - '\diskpart.exe'  # cannot be used in a rule of level critical
              - '\linuxnew.exe'
              - '\wannacry.exe'
        - Image|contains: 'WanaDecryptor'
    selection_cmd:
        CommandLine|contains: '@Please_Read_Me@.txt'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical
feat: multiple updates and fixes 2023-02-03 02:22:28 +01:00			`title: WannaCry Ransomware Activity`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 41d40bff-377a-43e2-8e1b-2e543069e079`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
Merged WannaCry rules 2019-05-24 22:17:36 +02:00			`description: Detects WannaCry ransomware activity`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`references:`
Update + New Rules 2022-08-01 17:37:16 +01:00			`- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100`
Merge PR #5533 from @swachchhanda000 - fix: github reported issues 2025-10-18 07:07:22 +05:45			`- https://x.com/nas_bench/status/1868639048484425963`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2019-01-16`
Merge PR #5533 from @swachchhanda000 - fix: github reported issues 2025-10-18 07:07:22 +05:45			`modified: 2025-10-18`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.lateral-movement`
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19 2026-04-29 01:20:23 +02:00			`- attack.defense-impairment`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`- attack.t1210`
			`- attack.discovery`
			`- attack.t1083`
			`- attack.t1222.001`
			`- attack.impact`
			`- attack.t1486`
			`- attack.t1490`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- detection.emerging-threats`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`logsource:`
Update + New Rules 2022-08-01 17:37:16 +01:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
Merge PR #5533 from @swachchhanda000 - fix: github reported issues 2025-10-18 07:07:22 +05:45			`selection_img:`
Update + New Rules 2022-08-01 17:37:16 +01:00			`- Image\|endswith:`
Merge PR #4482 From @nasbench - Add New Automation Workflows 2023-10-18 11:53:44 +02:00			`- '\tasksche.exe'`
			`- '\mssecsvc.exe'`
			`- '\taskdl.exe'`
			`- '\taskhsvc.exe'`
			`- '\taskse.exe'`
			`- '\111.exe'`
			`- '\lhdfrgui.exe'`
			`# - '\diskpart.exe' # cannot be used in a rule of level critical`
			`- '\linuxnew.exe'`
			`- '\wannacry.exe'`
Update + New Rules 2022-08-01 17:37:16 +01:00			`- Image\|contains: 'WanaDecryptor'`
Merge PR #5533 from @swachchhanda000 - fix: github reported issues 2025-10-18 07:07:22 +05:45			`selection_cmd:`
			`CommandLine\|contains: '@Please_Read_Me@.txt'`
			`condition: 1 of selection_*`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`falsepositives:`
Update + New Rules 2022-08-01 17:37:16 +01:00			`- Unknown`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`level: critical`