Potential BlackByte Ransomware Activity

Aug 28, 2023 · detection.emerging_threats attack.execution attack.defense_evasion attack.impact attack.t1485 attack.t1498 attack.t1059.001 attack.t1140 ·

Share on:

Detects command line patterns used by BlackByte ransomware in different operations

Sigma rule (View on GitHub)

 1title: Potential BlackByte Ransomware Activity
 2id: 999e8307-a775-4d5f-addc-4855632335be
 3status: test
 4description: Detects command line patterns used by BlackByte ransomware in different operations
 5references:
 6    - https://redcanary.com/blog/blackbyte-ransomware/
 7author: Florian Roth (Nextron Systems)
 8date: 2022/02/25
 9modified: 2023/02/08
10tags:
11    - detection.emerging_threats
12    - attack.execution
13    - attack.defense_evasion
14    - attack.impact
15    - attack.t1485
16    - attack.t1498
17    - attack.t1059.001
18    - attack.t1140
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_1:
24        Image|startswith: 'C:\Users\Public\'
25        CommandLine|contains: ' -single '
26    selection_2:
27        CommandLine|contains:
28            - 'del C:\Windows\System32\Taskmgr.exe'
29            - ';Set-Service -StartupType Disabled $'
30            - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('
31            - ' do start wordpad.exe /p '
32    condition: 1 of selection_*
33falsepositives:
34    - Unknown
35level: high

References

ProxyShell exploitation leads to BlackByte ransomware - Red Canary

BlackByte ransomware leverages ProxyShell Microsoft Exchange vulnerabilities for initial access and Cobalt Strike for lateral movement.

Read More

Potential BlackByte Ransomware Activity

Sigma rule (View on GitHub)

References

ProxyShell exploitation leads to BlackByte ransomware - Red Canary

Related rules