2019-01-16 23:36:31 +01:00
title : NotPetya Ransomware Activity
2019-11-12 23:12:27 +01:00
id : 79aeeb41-8156-4fac-a0cd-076495ab82a1
2019-01-16 23:36:31 +01:00
status : experimental
2020-06-16 14:46:08 -06:00
description : Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
2019-01-16 23:36:31 +01:00
author : Florian Roth, Tom Ueltschi
2020-01-30 16:07:37 +01:00
date : 2019 /01/16
2020-09-01 17:02:36 +00:00
modified : 2020 /09/01
2019-01-16 23:36:31 +01:00
references :
2019-03-02 00:14:20 +01:00
- https://securelist.com/schroedingers-petya/78870/
- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
2019-01-16 23:36:31 +01:00
tags :
2019-03-02 00:14:20 +01:00
- attack.defense_evasion
2020-06-16 14:46:08 -06:00
- attack.t1218.011
2020-09-01 17:02:36 +00:00
- attack.execution # an old one
- attack.t1085 # an old one
- attack.t1070.001
- attack.t1070 # an old one
- attack.credential_access
- attack.t1003.001
- attack.t1003 # an old one
- car.2016-04-002
2019-01-16 23:36:31 +01:00
logsource :
2019-03-02 00:14:20 +01:00
category : process_creation
product : windows
2019-01-16 23:36:31 +01:00
detection :
2019-03-02 00:14:20 +01:00
pipe_com :
2019-10-07 22:09:53 +02:00
CommandLine : '*\AppData\Local\Temp\\* \\.\pipe\\*'
2019-03-02 00:14:20 +01:00
rundll32_dash1 :
Image : '*\rundll32.exe'
CommandLine : '*.dat,#1'
perfc_keyword :
- '*\perfc.dat*'
condition : 1 of them
2019-01-16 23:36:31 +01:00
fields :
2019-03-02 00:14:20 +01:00
- CommandLine
- ParentCommandLine
2019-01-16 23:36:31 +01:00
falsepositives :
2019-03-02 00:14:20 +01:00
- Admin activity
2019-01-16 23:36:31 +01:00
level : critical
