Potential BlackByte Ransomware Activity

Aug 12, 2024 · detection.emerging-threats attack.execution attack.defense-evasion attack.impact attack.t1485 attack.t1498 attack.t1059.001 attack.t1140 ·

Share on:

Detects command line patterns used by BlackByte ransomware in different operations

Sigma rule (View on GitHub)

 1title: Potential BlackByte Ransomware Activity
 2id: 999e8307-a775-4d5f-addc-4855632335be
 3status: test
 4description: Detects command line patterns used by BlackByte ransomware in different operations
 5references:
 6    - https://redcanary.com/blog/blackbyte-ransomware/
 7author: Florian Roth (Nextron Systems)
 8date: 2022-02-25
 9modified: 2023-02-08
10tags:
11    - detection.emerging-threats
12    - attack.execution
13    - attack.defense-evasion
14    - attack.impact
15    - attack.t1485
16    - attack.t1498
17    - attack.t1059.001
18    - attack.t1140
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_1:
24        Image|startswith: 'C:\Users\Public\'
25        CommandLine|contains: ' -single '
26    selection_2:
27        CommandLine|contains:
28            - 'del C:\Windows\System32\Taskmgr.exe'
29            - ';Set-Service -StartupType Disabled $'
30            - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('
31            - ' do start wordpad.exe /p '
32    condition: 1 of selection_*
33falsepositives:
34    - Unknown
35level: high

References

ProxyShell exploitation leads to BlackByte ransomware | Red Canary

BlackByte ransomware leverages ProxyShell Microsoft Exchange vulnerabilities for initial access and Cobalt Strike for lateral movement.

Read More

Potential BlackByte Ransomware Activity

Sigma rule (View on GitHub)

References

ProxyShell exploitation leads to BlackByte ransomware | Red Canary

Related rules