Potential Conti Ransomware Activity

Aug 12, 2024 · attack.impact attack.s0575 attack.t1486 detection.emerging-threats ·

Detects a specific command used by the Conti ransomware group

Sigma rule (View on GitHub)

 1title: Potential Conti Ransomware Activity
 2id: 689308fc-cfba-4f72-9897-796c1dc61487
 3status: test
 4description: Detects a specific command used by the Conti ransomware group
 5references:
 6    - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
 7    - https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19
 8author: frack113
 9date: 2021-10-12
10modified: 2023-02-13
11tags:
12    - attack.impact
13    - attack.s0575
14    - attack.t1486
15    - detection.emerging-threats
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        CommandLine|contains|all:
22            - '-m '
23            - '-net '
24            - '-size ' # Size 10 in references
25            - '-nomutex '
26            - '-p \\\\'
27            - '$'
28    condition: selection
29falsepositives:
30    - Unlikely
31level: critical

References

Conti affiliates use ProxyShell Exchange exploit in ransomware attacks

An investigation into recent attacks by a Conti affiliate reveals that that the attackers initially accessed targeted organizations’ networks with ProxyShell, an exploit of vulnerabilities in…

Read More
x.com

Read More

Potential Conti Ransomware Activity

Sigma rule (View on GitHub)

References

Conti affiliates use ProxyShell Exchange exploit in ransomware attacks

x.com

Related rules