Potential Snatch Ransomware Activity
Detects specific process characteristics of Snatch ransomware word document droppers
Sigma rule (View on GitHub)
1title: Potential Snatch Ransomware Activity
2id: 5325945e-f1f0-406e-97b8-65104d393fff
3status: stable
4description: Detects specific process characteristics of Snatch ransomware word document droppers
5references:
6 - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
7author: Florian Roth (Nextron Systems)
8date: 2020-08-26
9modified: 2023-02-13
10tags:
11 - attack.execution
12 - attack.t1204
13 - detection.emerging-threats
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|contains:
20 - 'shutdown /r /f /t 00' # Shutdown in safe mode immediately
21 - 'net stop SuperBackupMan'
22 condition: selection
23fields:
24 - ComputerName
25 - User
26 - Image
27falsepositives:
28 - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
29level: high
References
-
A novel hybrid data theft-ransomware threat disables security protections by rebooting Windows machines mid-attack
Read More
Related rules
- DarkSide Ransomware Pattern
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- Blue Mockingbird