security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Ransomware over SMB (#3808)

Browse Source 
* [Tuning] Ransomware over SMB

* Update impact_ransomware_file_rename_smb.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
This commit is contained in:
Samirbous
2024-07-05 07:26:57 +01:00
committed by GitHub
parent cd716e5248
commit 15e9c9aa5e
2 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/impact_ransomware_file_rename_smb.toml
+4 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/05/02"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/20"
[rule]
author = ["Elastic"]
@@ -70,10 +70,11 @@ query = '''
sequence by host.id with maxspan=1s
[network where host.os.type == "windows" and
event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and
source.ip != "127.0.0.1" and source.ip != "::1"]
source.ip != "127.0.0.1" and source.ip != "::1" and
network.type == "ipv4" and not endswith(source.address, destination.address)]
[file where host.os.type == "windows" and
event.action == "rename" and process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and
file.extension != null and file.Ext.entropy >= 6 and
file.extension != null and file.Ext.entropy >= 6 and file.path : "C:\\Users\\*" and
file.Ext.original.name : ("*.jpg", "*.bmp", "*.png", "*.pdf", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.lnk") and
not file.extension : ("jpg", "bmp", "png", "pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "*.lnk")] with runs=3
'''
rules/windows/impact_ransomware_note_file_over_smb.toml
+4 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/05/02"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/20"
[rule]
author = ["Elastic"]
@@ -70,9 +70,11 @@ query = '''
sequence by host.id with maxspan=1s
[network where host.os.type == "windows" and
event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and
source.ip != "127.0.0.1" and source.ip != "::1"]
source.ip != "127.0.0.1" and source.ip != "::1" and
network.type == "ipv4" and not endswith(source.address, destination.address)]
[file where host.os.type == "windows" and event.action == "creation" and
process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and file.extension : ("hta", "txt", "readme", "htm*") and
file.path : "C:\\Users\\*" and
/* ransom file name keywords */
file.name : ("*read*me*", "*lock*", "*@*", "*RECOVER*", "*decrypt*", "*restore*file*", "*FILES_BACK*", "*how*to*")] with runs=3
'''