2019-01-16 23:36:31 +01:00
title : NotPetya Ransomware Activity
2019-11-12 23:12:27 +01:00
id : 79aeeb41-8156-4fac-a0cd-076495ab82a1
2021-11-27 11:33:14 +01:00
status : test
2020-06-16 14:46:08 -06:00
description : Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
2019-01-16 23:36:31 +01:00
author : Florian Roth, Tom Ueltschi
references :
2021-11-27 11:33:14 +01:00
- https://securelist.com/schroedingers-petya/78870/
- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
date : 2019 /01/16
2022-03-05 10:39:15 +01:00
modified : 2022 /03/05
2019-01-16 23:36:31 +01:00
logsource :
2021-11-27 11:33:14 +01:00
category : process_creation
product : windows
2019-01-16 23:36:31 +01:00
detection :
2022-01-11 10:59:57 +01:00
select_pipe_com :
2021-11-27 11:33:14 +01:00
CommandLine|contains|all :
- '\AppData\Local\Temp\'
2022-03-05 10:39:15 +01:00
- ' \\\\.\\pipe\\'
2022-01-11 10:59:57 +01:00
select_rundll32_dash1 :
2021-11-27 11:33:14 +01:00
Image|endswith : '\rundll32.exe'
2021-12-08 10:01:54 +01:00
CommandLine|endswith :
- '.dat,#1'
- '.dat #1' # Sysmon removes comma
2022-01-11 10:59:57 +01:00
select_perfc_keyword :
2021-11-27 11:33:14 +01:00
- '\perfc.dat'
2022-01-11 10:59:57 +01:00
condition : 1 of select*
2019-01-16 23:36:31 +01:00
fields :
2021-11-27 11:33:14 +01:00
- CommandLine
- ParentCommandLine
2019-01-16 23:36:31 +01:00
falsepositives :
2021-11-27 11:33:14 +01:00
- Admin activity
2019-01-16 23:36:31 +01:00
level : critical
2021-11-27 11:33:14 +01:00
tags :
- attack.defense_evasion
- attack.t1218.011
- attack.t1070.001
- attack.credential_access
- attack.t1003.001
- car.2016-04-002
