NotPetya Ransomware Activity

calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.011 attack.t1070.001 attack.credential-access attack.t1003.001 car.2016-04-002 detection.emerging-threats  ·
Share on: linkedin copy

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

Sigma rule (View on GitHub)

 1title: NotPetya Ransomware Activity
 2id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
 3status: test
 4description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
 5references:
 6    - https://securelist.com/schroedingers-petya/78870/
 7    - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
 8author: Florian Roth (Nextron Systems), Tom Ueltschi
 9date: 2019-01-16
10modified: 2022-12-15
11tags:
12    - attack.defense-evasion
13    - attack.t1218.011
14    - attack.t1070.001
15    - attack.credential-access
16    - attack.t1003.001
17    - car.2016-04-002
18    - detection.emerging-threats
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_specific_pattern:
24        CommandLine|contains:
25            - 'wevtutil cl Application & fsutil usn deletejournal /D C:'
26            - 'dllhost.dat %WINDIR%\ransoms'
27    selection_rundll32:
28        Image|endswith: '\rundll32.exe'
29        CommandLine|endswith:
30            - '.dat,#1'
31            - '.dat #1' # Sysmon removes comma
32            - '.zip.dll",#1'
33    selection_perfc_keyword:
34        - '\perfc.dat'
35    condition: 1 of selection_*
36falsepositives:
37    - Unknown
38level: critical

References

Related rules

to-top