Rorschach Ransomware Execution Activity
Detects Rorschach ransomware execution activity
Sigma rule (View on GitHub)
1title: Rorschach Ransomware Execution Activity
2id: 0e9e6c63-1350-48c4-9fa1-7ccb235edc68
3status: test
4description: Detects Rorschach ransomware execution activity
5references:
6 - https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
7author: X__Junior (Nextron Systems)
8date: 2023-04-04
9modified: 2023-04-22
10tags:
11 - attack.execution
12 - attack.t1059.003
13 - attack.t1059.001
14 - attack.defense-evasion
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith:
22 - '\bcdedit.exe'
23 - '\net.exe'
24 - '\net1.exe'
25 - '\netsh.exe'
26 - '\wevtutil.exe'
27 - '\vssadmin.exe'
28 CommandLine|contains: '11111111'
29 condition: selection
30falsepositives:
31 - Unlikely
32level: critical
References
Related rules
- Potential Baby Shark Malware Activity
- Exploited CVE-2020-10189 Zoho ManageEngine
- Greenbug Espionage Group Indicators
- HTML Help HH.EXE Suspicious Child Process
- Operation Wocao Activity