security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
01dc930c173e329c191245b76f05de5fa4b5da21
blue-team-tools/rules/windows/process_creation/process_creation_conti_cmd_ransomware.yml
T
frack113 5aa62bd342 fix yml
2021-10-12 21:02:15 +02:00

30 lines
827 B
YAML
Raw Blame History

title: Conti Ransomware Execution
id: 689308fc-cfba-4f72-9897-796c1dc61487
status: experimental
author: frack113
date: 2021/10/12
description: Conti ransomware command line ioc
references:
- https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
- https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19
tags:
- attack.impact
- attack.s0575
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-m '
- '-net '
- '-size ' #size 10 in references
- '-nomutex '
- '-p \\'
- '$'
condition: selection
falsepositives:
- Unknown should be low
level: critical
Reference in New Issue View Git Blame Copy Permalink