Wannacry Killswitch Domain

 1title: Wannacry Killswitch Domain
 2id: 3eaf6218-3bed-4d8a-8707-274096f12a18
 3status: test
 4description: Detects wannacry killswitch domain dns queries
 5references:
 6    - https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign
 7author: Mike Wade
 8date: 2020-09-16
 9modified: 2022-03-24
10tags:
11    - attack.command-and-control
12    - attack.t1071.001
13logsource:
14    category: dns
15detection:
16    selection:
17        query:
18            - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'
19            - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'
20            - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
21            - 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
22            - 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
23    condition: selection
24falsepositives:
25    - Analyst testing
26level: high

References

• WannaCry Ransomware Campaign: Threat Details and Risk Management | Mandiant | Google Cloud Blog

  

  In response to the use of this exploited vulnerability, Microsoft has provided specific risk management steps for WannaCry. While WannaCry ransomware has spread primarily through SMB exploitation, ...

  
  Read More

Related rules

• APT User Agent
• APT40 Dropbox Tool User Agent
• Bitsadmin to Uncommon IP Server Address
• Bitsadmin to Uncommon TLD
• Chafer Malware URL Pattern