Rorschach Ransomware Execution Activity
Detects Rorschach ransomware execution activity
Sigma rule (View on GitHub)
1title: Rorschach Ransomware Execution Activity
2id: 0e9e6c63-1350-48c4-9fa1-7ccb235edc68
3status: test
4description: Detects Rorschach ransomware execution activity
5references:
6 - https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
7author: X__Junior (Nextron Systems)
8date: 2023/04/04
9modified: 2023/04/22
10tags:
11 - attack.execution
12 - attack.t1059.003
13 - attack.t1059.001
14 - attack.defense_evasion
15 - detection.emerging_threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith:
22 - '\bcdedit.exe'
23 - '\net.exe'
24 - '\net1.exe'
25 - '\netsh.exe'
26 - '\wevtutil.exe'
27 - '\vssadmin.exe'
28 CommandLine|contains: '11111111'
29 condition: selection
30falsepositives:
31 - Unlikely
32level: critical
References
-
Research by: Jiri Vinopal, Dennis Yarizadeh and Gil Gekker Key Findings: Introduction While responding to a ransomware case against a US-based company, the CPIRT recently came across a unique ransomware strain deployed using a signed component of a commercial security product. Unlike other ransomware cases, the threat actor did not hide behind any alias and appears […]
Read More
Related rules
- Potential Baby Shark Malware Activity
- Sofacy Trojan Loader Activity
- Potential Bumblebee Remote Thread Creation
- Potential BlackByte Ransomware Activity
- Exploited CVE-2020-10189 Zoho ManageEngine