NotPetya Ransomware Activity
Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
Sigma rule (View on GitHub)
1title: NotPetya Ransomware Activity
2id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
3status: test
4description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
5references:
6 - https://securelist.com/schroedingers-petya/78870/
7 - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
8author: Florian Roth (Nextron Systems), Tom Ueltschi
9date: 2019/01/16
10modified: 2022/12/15
11tags:
12 - attack.defense_evasion
13 - attack.t1218.011
14 - attack.t1070.001
15 - attack.credential_access
16 - attack.t1003.001
17 - car.2016-04-002
18 - detection.emerging_threats
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_specific_pattern:
24 CommandLine|contains:
25 - 'wevtutil cl Application & fsutil usn deletejournal /D C:'
26 - 'dllhost.dat %WINDIR%\ransoms'
27 selection_rundll32:
28 Image|endswith: '\rundll32.exe'
29 CommandLine|endswith:
30 - '.dat,#1'
31 - '.dat #1' # Sysmon removes comma
32 - '.zip.dll",#1'
33 selection_perfc_keyword:
34 - '\perfc.dat'
35 condition: 1 of selection_*
36falsepositives:
37 - Unknown
38level: critical
References
Related rules
- Process Access via TrolleyExpress Exclusion
- Equation Group DLL_U Export Function Load
- Potential Emotet Rundll32 Execution
- Process Memory Dump Via Comsvcs.DLL
- Sofacy Trojan Loader Activity