Potential Maze Ransomware Activity

calendar Jun 20, 2023 · attack.execution attack.t1204.002 attack.t1047 attack.impact attack.t1490 detection.emerging_threats  ·
Share on: linkedin copy

Detects specific process characteristics of Maze ransomware word document droppers

Sigma rule (View on GitHub)

 1title: Potential Maze Ransomware Activity
 2id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052
 3status: test
 4description: Detects specific process characteristics of Maze ransomware word document droppers
 5references:
 6    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
 7    - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/
 8    - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
 9author: Florian Roth (Nextron Systems)
10date: 2020/05/08
11modified: 2023/02/13
12tags:
13    - attack.execution
14    - attack.t1204.002
15    - attack.t1047
16    - attack.impact
17    - attack.t1490
18    - detection.emerging_threats
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    # Dropper
24    selection1:
25        ParentImage|endswith: '\WINWORD.exe'
26        Image|endswith: '.tmp'
27    # Binary Execution
28    selection2:
29        Image|endswith: '\wmic.exe'
30        ParentImage|contains: '\Temp\'
31        CommandLine|endswith: 'shadowcopy delete'
32    # Specific Pattern
33    selection3:
34        CommandLine|endswith: 'shadowcopy delete'
35        CommandLine|contains: '\..\..\system32'
36    condition: 1 of selection*
37fields:
38    - ComputerName
39    - User
40    - Image
41falsepositives:
42    - Unlikely
43level: critical

References

Related rules

to-top