Cicada Ransomware PSExec File Creation
Detects creation of a lightly-renamed PSExec file in C:\Users\Public, as observed in the Cicada3301 Ransomware report from MorphiSec.
Sigma rule (View on GitHub)
1title: Cicada Ransomware PSExec File Creation
2id: 76cdd984-4b2b-465d-908f-d55ead0cdc9e
3status: experimental
4description: Detects creation of a lightly-renamed PSExec file in C:\Users\Public, as observed in the Cicada3301 Ransomware report from MorphiSec.
5references:
6 - https://blog.morphisec.com/cicada3301-ransomware-threat-analysis
7author: 'Micah Babinski, Based on Morphisec report by Michael Gorelik (@smgoreli)'
8date: 2024-09-07
9tags:
10 - attack.lateral-movement
11 - attack.execution
12 - attack.t1570
13 - attack.t1569
14 - attack.t1569.002
15 - attack.s0029
16logsource:
17 category: file_event
18 product: windows
19detection:
20 selection:
21 TargetFilename|contains: 'psexec'
22 TargetFilename|startswith: 'C:\Users\Public'
23 filter:
24 TargetFilename|endswith: '\psexec.exe'
25 condition: selection and not filter
26falsepositives:
27 - Unknown
28level: medium```
References
-
In this blog Morphisec researchers provide a comprehensive analysis of a prevented Cicada3301 ransomware attack in a customer environment.
Read More
Related rules
- Cicada3301 Ransomware Execution via PSExec
- Metasploit Or Impacket Service Installation Via SMB PsExec
- PSEXEC Remote Execution File Artefact
- Rundll32 Execution Without Parameters
- CSExec Service File Creation