Executable Deployment from Remote Share

Nov 29, 2022 · attack.lateral_movement attack.command_and_control attack.t1105 attack.t1021 ·

Detects use of the copy utility to deploy executable files from a remote share to a temp directory, such as the procedure performed by Vice Ransomware gang.

Sigma rule (View on GitHub)

 1title: Executable Deployment from Remote Share
 2id: 85f915d8-7cbc-4bd5-b1cc-03c7f3188c19
 3status: experimental
 4description: Detects use of the copy utility to deploy executable files from a remote share to a temp directory, such as the procedure performed by Vice Ransomware gang.
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
 7author: Micah Babinski
 8date: 2022/11/26
 9tags:
10    - attack.lateral_movement
11    - attack.command_and_control
12    - attack.t1105
13    - attack.t1021
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\cmd.exe'
20        CommandLine|contains|windash: '/c'
21        CommandLine|contains|all:
22            - 'copy'
23            - 'exe'
24            - 'c$'
25            - '\\\\'
26        CommandLine|contains:
27            - 'temp'
28            - 'tmp'
29        CommandLine|re: '.*(?:[0-9]{1,3}\.){3}[0-9]{1,3}.*'
30    condition: selection
31falsepositives:
32    - Unknown
33level: high```

References

https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/

Read More

Executable Deployment from Remote Share

Sigma rule (View on GitHub)

References

https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/

Related rules