Hyper-V Virtual Machine Discovery Shutdown via Powershell Cmdlets
Detects powershell process used to find and shut down local Hyper-V VMs using the Stop-VM cmdlet, as documented in the 2024 Morphisec report on Cicada3301 ransomware.
Sigma rule (View on GitHub)
1title: Hyper-V Virtual Machine Discovery Shutdown via Powershell Cmdlets
2id: d42df972-2f45-44b0-8566-3de71b9ed3e9
3status: experimental
4description: Detects powershell process used to find and shut down local Hyper-V VMs using the Stop-VM cmdlet, as documented in the 2024 Morphisec report on Cicada3301 ransomware.
5references:
6 - https://blog.morphisec.com/cicada3301-ransomware-threat-analysis
7related:
8 - id: 42d36aa1-3240-4db0-8257-e0118dcdd9cd # Suspicious Hyper-V Cmdlets - SigmaHQ/frack113
9 type: derived
10author: 'Micah Babinski, Based on Morphisec report by Michael Gorelik (@smgoreli)'
11date: 2024-09-07
12tags:
13 - attack.defense-evasion
14 - attack.impact
15 - attack.t1578
16 - attack.t1578.003
17 - attack.t1529
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\powershell.exe'
24 - OriginalFileName: 'powershell.exe'
25 selection_cmd:
26 CommandLine|contains|all:
27 - 'Get-VM'
28 - 'Stop-VM'
29 - '-Force'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: medium```
References
-
In this blog Morphisec researchers provide a comprehensive analysis of a prevented Cicada3301 ransomware attack in a customer environment.
Read More
Related rules
- IISReset Used to Stop IIS Services
- Audit CVE Event
- Azure Active Directory Hybrid Health AD FS New Server
- Azure Active Directory Hybrid Health AD FS Service Delete
- Azure Application Deleted