Potential Conti Ransomware Activity

 1title: Potential Conti Ransomware Activity
 2id: 689308fc-cfba-4f72-9897-796c1dc61487
 3status: test
 4description: Detects a specific command used by the Conti ransomware group
 5references:
 6    - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
 7    - https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19
 8author: frack113
 9date: 2021/10/12
10modified: 2023/02/13
11tags:
12    - attack.impact
13    - attack.s0575
14    - attack.t1486
15    - detection.emerging_threats
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        CommandLine|contains|all:
22            - '-m '
23            - '-net '
24            - '-size ' # Size 10 in references
25            - '-nomutex '
26            - '-p \\\\'
27            - '$'
28    condition: selection
29falsepositives:
30    - Unlikely
31level: critical

References

• Conti affiliates use ProxyShell Exchange exploit in ransomware attacks

  

  An investigation into recent attacks by a Conti affiliate reveals that that the attackers initially accessed targeted organizations’ networks with ProxyShell, an exploit of vulnerabilities in…

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• LockerGoga Ransomware Activity
• Potential Dtrack RAT Activity
• Potential Maze Ransomware Activity
• Suspicious Multiple File Rename Or Delete Occurred
• Suspicious Creation TXT File in User Desktop