From 9868c00cc69f15cfac63f8560cfbe9f6fae06523 Mon Sep 17 00:00:00 2001 From: Arnim Rupp <46819580+ruppde@users.noreply.github.com> Date: Fri, 13 Jan 2023 00:08:55 +0100 Subject: [PATCH 1/2] Add more ransomware strings --- .../category/antivirus/av_password_dumper.yml | 4 +++- rules/category/antivirus/av_ransomware.yml | 23 +++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml index a86347223..0993a51e5 100644 --- a/rules/category/antivirus/av_password_dumper.yml +++ b/rules/category/antivirus/av_password_dumper.yml @@ -5,9 +5,10 @@ description: Detects a highly relevant Antivirus alert that reports a password d references: - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection + - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 author: Florian Roth date: 2018/09/09 -modified: 2022/05/12 +modified: 2023/01/13 tags: - attack.credential_access - attack.t1003 @@ -32,6 +33,7 @@ detection: - 'LsassDump' - 'Outflank' - 'DumpLsass' + - 'SharpDump' condition: selection fields: - FileName diff --git a/rules/category/antivirus/av_ransomware.yml b/rules/category/antivirus/av_ransomware.yml index 7377029df..10d54d3bf 100644 --- a/rules/category/antivirus/av_ransomware.yml +++ b/rules/category/antivirus/av_ransomware.yml @@ -4,9 +4,14 @@ status: experimental description: Detects a highly relevant Antivirus alert that reports ransomware references: - https://www.nextron-systems.com/?s=antivirus -author: Florian Roth + - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916 + - https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7 + - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045 + - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d + - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c +author: Florian Roth, Arnim Rupp date: 2022/05/12 -modified: 2022/10/24 +modified: 2023/01/13 tags: - attack.t1486 logsource: @@ -16,6 +21,20 @@ detection: Signature|contains: - 'Ransom' - 'Filecoder' + - 'Ryuk' + - 'Cryptor' + - 'Crypter' + - 'Destructor' + - 'TeslaCrypt' + - 'Locker' + - 'Tescrypt' + - 'CRYPTES' + - 'Krypt' + - 'GandCrab' + - 'Filecoder' + - 'Ryzerlo' + - 'BlackWorm' + - 'Phobos' condition: selection falsepositives: - Unlikely From 7df1bd1a40a226baefd6daa84f40d3c92756a40b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 13 Jan 2023 00:26:38 +0100 Subject: [PATCH 2/2] fix: remove duplicate entry --- rules/category/antivirus/av_ransomware.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/category/antivirus/av_ransomware.yml b/rules/category/antivirus/av_ransomware.yml index 10d54d3bf..a56fa754c 100644 --- a/rules/category/antivirus/av_ransomware.yml +++ b/rules/category/antivirus/av_ransomware.yml @@ -31,7 +31,6 @@ detection: - 'CRYPTES' - 'Krypt' - 'GandCrab' - - 'Filecoder' - 'Ryzerlo' - 'BlackWorm' - 'Phobos'