NotPetya Ransomware Activity

calendar Apr 28, 2026 · attack.stealth attack.defense-impairment attack.t1218.011 attack.t1685.005 attack.credential-access attack.t1003.001 car.2016-04-002 detection.emerging-threats  ·
Share on: linkedin copy

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

Sigma rule (View on GitHub)

 1title: NotPetya Ransomware Activity
 2id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
 3status: test
 4description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
 5references:
 6    - https://securelist.com/schroedingers-petya/78870/
 7    - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
 8author: Florian Roth (Nextron Systems), Tom Ueltschi
 9date: 2019-01-16
10modified: 2022-12-15
11tags:
12    - attack.stealth
13    - attack.defense-impairment
14    - attack.t1218.011
15    - attack.t1685.005
16    - attack.credential-access
17    - attack.t1003.001
18    - car.2016-04-002
19    - detection.emerging-threats
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_specific_pattern:
25        CommandLine|contains:
26            - 'wevtutil cl Application & fsutil usn deletejournal /D C:'
27            - 'dllhost.dat %WINDIR%\ransoms'
28    selection_rundll32:
29        Image|endswith: '\rundll32.exe'
30        CommandLine|endswith:
31            - '.dat,#1'
32            - '.dat #1' # Sysmon removes comma
33            - '.zip.dll",#1'
34    selection_perfc_keyword:
35        - '\perfc.dat'
36    condition: 1 of selection_*
37falsepositives:
38    - Unknown
39level: critical

References

Related rules

to-top