Suspicious Command Line Indicating BlackCat Execution

Dec 6, 2022 · attack.execution attack.t1059 attack.t1204 ·

Detects process execution with the --access-token flag accompanied by a 64-character alphanumeric string in the space-delimited command-line arguments..

Sigma rule (View on GitHub)

 1title: Suspicious Command Line Indicating BlackCat Execution
 2id: df69c374-327e-4146-acff-4a961bb1b755
 3status: experimental
 4description: Detects process execution with the --access-token flag accompanied by a 64-character alphanumeric string in the space-delimited command-line arguments..
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
 7author: Micah Babinski
 8date: 2022/12/04
 9tags:
10    - attack.execution
11    - attack.t1059
12    - attack.t1204
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        CommandLine|contains: '--access-token'
19        CommandLine|re: '^.*\s{1}[a-zA-Z0-9]{64}\s{1}.*$'
20    condition: selection
21falsepositives:
22    - Unknown
23level: high```

References

The many lives of BlackCat ransomware | Microsoft Security Blog

The use of an unconventional programming language, multiple target devices and possible entry points, and affiliation with prolific threat activity groups have made the BlackCat ransomware a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy.

Read More

Suspicious Command Line Indicating BlackCat Execution

Sigma rule (View on GitHub)

References

The many lives of BlackCat ransomware | Microsoft Security Blog

Related rules