Potential Snatch Ransomware Activity
Detects specific process characteristics of Snatch ransomware word document droppers
Sigma rule (View on GitHub)
1title: Potential Snatch Ransomware Activity
2id: 5325945e-f1f0-406e-97b8-65104d393fff
3status: stable
4description: Detects specific process characteristics of Snatch ransomware word document droppers
5references:
6 - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
7author: Florian Roth (Nextron Systems)
8date: 2020-08-26
9modified: 2025-10-19
10tags:
11 - attack.execution
12 - attack.t1204
13 - detection.emerging-threats
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - CommandLine|re: 'shutdown\s+/r /f /t 00' # Shutdown in safe mode immediately
20 - CommandLine|re: 'net\s+stop SuperBackupMan'
21 condition: selection
22falsepositives:
23 - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
24level: high
References
-
A novel hybrid data theft-ransomware threat disables security protections by rebooting Windows machines mid-attack
Read More
Related rules
- DarkSide Ransomware Pattern
- Mint Sandstorm - AsperaFaspex Suspicious Process Execution
- Mint Sandstorm - ManageEngine Suspicious Process Execution
- Turla Group Commands May 2020
- Blue Mockingbird