From 4366a9502485f2a716dc69f0e6db90605e46b0bc Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 11 May 2020 10:46:26 +0200
Subject: [PATCH] rule: Maze ransomware

---
 .../win_crime_maze_ransomware.yml             | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 rules/windows/process_creation/win_crime_maze_ransomware.yml

diff --git a/rules/windows/process_creation/win_crime_maze_ransomware.yml b/rules/windows/process_creation/win_crime_maze_ransomware.yml
new file mode 100644
index 000000000..9f7d3d64f
--- /dev/null
+++ b/rules/windows/process_creation/win_crime_maze_ransomware.yml
@@ -0,0 +1,40 @@
+title: Maze Ransomware
+id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052
+status: experimental
+description: Detects specific process characteristics of Maze ransomware word document droppers
+references:
+    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+    - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/
+    - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
+author: Florian Roth
+date: 2020/05/08
+tags:
+    - attack.execution
+    - attack.t1204
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    # Dropper
+    selection1:
+        ParentImage|endswith:
+            - '\WINWORD.exe'
+        Image|endswith:
+            - '*.tmp'
+    # Binary Execution
+    selection2:
+        Image|endswith: '\wmic.exe'
+        ParentImage|contains: '\Temp\'
+        CommandLine|endswith: 'shadowcopy delete'
+    # Specific Pattern
+    selection3: 
+        CommandLine|endswith: 'shadowcopy delete'
+        CommandLine|contains: '\..\..\system32'
+    condition: 1 of them
+fields:
+    - ComputerName
+    - User
+    - Image
+falsepositives:
+    - Unlikely
+level: critical