Suspicious Ping/Del Command Combination

calendar Mar 11, 2024 · attack.defense_evasion attack.t1070.004  ·
Share on: linkedin copy

Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example

Sigma rule (View on GitHub)

 1title: Suspicious Ping/Del Command Combination
 2id: 54786ddc-5b8a-11ed-9b6a-0242ac120002
 3status: test
 4description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
 5references:
 6    - https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack
 7    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
 8    - https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/
 9    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
10author: Ilya Krestinichev
11date: 2022/11/03
12modified: 2024/03/05
13tags:
14    - attack.defense_evasion
15    - attack.t1070.004
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
21    # Example: "C:\Windows\System32\cmd.exe"  /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
22    selection_count:
23        CommandLine|contains|windash: ' -n '
24    selection_nul:
25        CommandLine|contains: 'Nul' # Covers "> Nul" and ">Nul "
26    selection_del_param:
27        CommandLine|contains|windash:
28            - ' -f '
29            - ' -q '
30    selection_all:
31        CommandLine|contains|all:
32            - 'ping' # Covers "ping" and "ping.exe"
33            - 'del '
34    condition: all of selection_*
35falsepositives:
36    - Unknown
37level: high

References

  • Kaseya Ransomware Supply Chain Attack

    Get a deep dive into the Kaseya ransomware attack, and how you can deploy effective defense strategies.


    Read More

  • G ^6+—„M:ßaT1ih]‰)ïiµ]¤ÍàÛŸ×+3ª2î|>ŸuW,—�÷BÓÅ6òEþÏú�àVÉ:ƒ�VóÞø£aGÑñ4øFë#aÝÿ•Æ,ÊV”®lNÿw„i)S¼Rµõ`êæ! À–ïÅyÝGM™ŸðI�Õ5æO{›c©�Ц¬d¤JÊ�§×^B>ûxPsuá†Ð?ÈVŠ?êeèôò¹®º®¬püM™¿Oƒ¢ÚNRNŽ_&A¡...


    Read More

  • Threat analysis: LockBit Ransomware - Acronis

    LockBit ransomware is a sophisticated cyberthreat that’s actively targeting high-value organizations and leaking data publicly if the ransom isn’t paid. Learn how this piece of malware operates, and how Acronis’ cyber protection solutions can keep your data and applications safe.


    Read More

  • Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool

    Exbyte is the latest tool developed by ransomware attackers to expedite data theft from victims.


    Read More

Related rules

to-top