Executable Deployment from Remote Share
Detects use of the copy utility to deploy executable files from a remote share to a temp directory, such as the procedure performed by Vice Ransomware gang.
Sigma rule (View on GitHub)
1title: Executable Deployment from Remote Share
2id: 85f915d8-7cbc-4bd5-b1cc-03c7f3188c19
3status: experimental
4description: Detects use of the copy utility to deploy executable files from a remote share to a temp directory, such as the procedure performed by Vice Ransomware gang.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
7author: Micah Babinski
8date: 2022/11/26
9tags:
10 - attack.lateral_movement
11 - attack.command_and_control
12 - attack.t1105
13 - attack.t1021
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\cmd.exe'
20 CommandLine|contains|windash: '/c'
21 CommandLine|contains|all:
22 - 'copy'
23 - 'exe'
24 - 'c$'
25 - '\\\\'
26 CommandLine|contains:
27 - 'temp'
28 - 'tmp'
29 CommandLine|re: '.*(?:[0-9]{1,3}\.){3}[0-9]{1,3}.*'
30 condition: selection
31falsepositives:
32 - Unknown
33level: high```
References
-
In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society.
Read More