Suspicious Command Line Indicating BlackCat Execution
Detects process execution with the --access-token flag accompanied by a 64-character alphanumeric string in the space-delimited command-line arguments..
Sigma rule (View on GitHub)
1title: Suspicious Command Line Indicating BlackCat Execution
2id: df69c374-327e-4146-acff-4a961bb1b755
3status: experimental
4description: Detects process execution with the --access-token flag accompanied by a 64-character alphanumeric string in the space-delimited command-line arguments..
5references:
6 - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
7author: Micah Babinski
8date: 2022/12/04
9tags:
10 - attack.execution
11 - attack.t1059
12 - attack.t1204
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains: '--access-token'
19 CommandLine|re: '^.*\s{1}[a-zA-Z0-9]{64}\s{1}.*$'
20 condition: selection
21falsepositives:
22 - Unknown
23level: high```
References
Related rules
- Suspicious Command Line Indicating BlackCat Execution with Get UUID Option
- Suspicious Powershell Cmdlets
- Suspicious WMI-Related Powershell Cmdlets
- Wscript.exe Executing Agreement Javascript in AppData Folder
- PCRE.NET Package Temp Files