2019-01-16 23:36:31 +01:00
title : NotPetya Ransomware Activity
2019-11-12 23:12:27 +01:00
id : 79aeeb41-8156-4fac-a0cd-076495ab82a1
2019-01-16 23:36:31 +01:00
status : experimental
2020-06-16 14:46:08 -06:00
description : Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
2019-01-16 23:36:31 +01:00
author : Florian Roth, Tom Ueltschi
2020-01-30 16:07:37 +01:00
date : 2019 /01/16
2020-09-01 17:02:36 +00:00
modified : 2020 /09/01
2019-01-16 23:36:31 +01:00
references :
2019-03-02 00:14:20 +01:00
- https://securelist.com/schroedingers-petya/78870/
- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
2019-01-16 23:36:31 +01:00
tags :
2019-03-02 00:14:20 +01:00
- attack.defense_evasion
2020-06-16 14:46:08 -06:00
- attack.t1218.011
2020-09-01 17:02:36 +00:00
- attack.execution # an old one
- attack.t1085 # an old one
- attack.t1070.001
- attack.t1070 # an old one
- attack.credential_access
- attack.t1003.001
- attack.t1003 # an old one
- car.2016-04-002
2019-01-16 23:36:31 +01:00
logsource :
2019-03-02 00:14:20 +01:00
category : process_creation
product : windows
2019-01-16 23:36:31 +01:00
detection :
2019-03-02 00:14:20 +01:00
pipe_com :
2020-11-27 15:29:29 -03:00
CommandLine|contains|all :
- '\AppData\Local\Temp\'
- ' \\.\pipe\\'
2019-03-02 00:14:20 +01:00
rundll32_dash1 :
2020-10-15 18:02:08 -03:00
Image|endswith : '\rundll32.exe'
CommandLine|endswith : '.dat,#1'
2021-08-27 11:53:50 -04:00
perfc_keyword :
2020-10-15 18:02:08 -03:00
- '\perfc.dat'
2019-03-02 00:14:20 +01:00
condition : 1 of them
2019-01-16 23:36:31 +01:00
fields :
2019-03-02 00:14:20 +01:00
- CommandLine
- ParentCommandLine
2019-01-16 23:36:31 +01:00
falsepositives :
2019-03-02 00:14:20 +01:00
- Admin activity
2019-01-16 23:36:31 +01:00
level : critical
2020-11-27 15:29:29 -03:00
