security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1625 from SigmaHQ/rule-devel

Browse Source 
Kaseya patterns, PrinterNightmare Mimikatz update
This commit is contained in:
Florian Roth
2021-07-05 13:29:23 +02:00
committed by GitHub
parent d101c9893a 6c4f36c473
commit 8069b53e5e
2 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_apt_revil_kaseya.yml
+11
View File
@@ -7,8 +7,10 @@ references:
- https://www.joesandbox.com/analysis/443736/0/html
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
- https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
author: Florian Roth
date: 2021/07/03
modified: 2021/07/05
tags:
- attack.execution
- attack.g0115
@@ -23,11 +25,20 @@ detection:
- 'del /q /f c:\kworking\agent.crt'
- 'Kaseya VSA Agent Hot-fix'
- '\AppData\Local\Temp\MsMpEng.exe'
- 'rmdir /s /q %SystemDrive%\inetpub\logs'
- 'del /s /q /f %SystemDrive%\\*.log'
- 'c:\kworking1\agent.exe'
- 'c:\kworking1\agent.crt'
selection2:
Image:
- 'C:\Windows\MsMpEng.exe'
- 'C:\Windows\cert.exe'
- 'C:\kworking\agent.exe'
- 'C:\kworking1\agent.exe'
selection3:
CommandLine|contains|all:
- 'del /s /q /f'
- 'WebPages\Errors\webErrorLog.txt'
condition: selection1 and selection2
falsepositives:
- Unknown
rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml
+6 -3
View File
@@ -11,14 +11,17 @@ tags:
- attack.execution
- cve.2021-1675
- cve.2021-34527
date: 2021/06/07
date: 2021/07/04
modified: 2021/07/05
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|startswith: 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
TargetObject|startswith:
-'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
- 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
condition: selection
falsepositives:
- Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
level: critical
level: critical