Nasreddine Bencherchali
45 lines
1.4 KiB
YAML
45 lines
1.4 KiB
YAML
title: WannaCry Ransomware Activity
|
|
id: 41d40bff-377a-43e2-8e1b-2e543069e079
|
|
status: test
|
|
description: Detects WannaCry ransomware activity
|
|
references:
|
|
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
|
|
- https://x.com/nas_bench/status/1868639048484425963
|
|
author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
|
|
date: 2019-01-16
|
|
modified: 2025-10-18
|
|
tags:
|
|
- attack.lateral-movement
|
|
- attack.defense-impairment
|
|
- attack.t1210
|
|
- attack.discovery
|
|
- attack.t1083
|
|
- attack.t1222.001
|
|
- attack.impact
|
|
- attack.t1486
|
|
- attack.t1490
|
|
- detection.emerging-threats
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_img:
|
|
- Image|endswith:
|
|
- '\tasksche.exe'
|
|
- '\mssecsvc.exe'
|
|
- '\taskdl.exe'
|
|
- '\taskhsvc.exe'
|
|
- '\taskse.exe'
|
|
- '\111.exe'
|
|
- '\lhdfrgui.exe'
|
|
# - '\diskpart.exe' # cannot be used in a rule of level critical
|
|
- '\linuxnew.exe'
|
|
- '\wannacry.exe'
|
|
- Image|contains: 'WanaDecryptor'
|
|
selection_cmd:
|
|
CommandLine|contains: '@Please_Read_Me@.txt'
|
|
condition: 1 of selection_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|