Suspicious Ping/Del Command Combination

Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example

Sigma rule (View on GitHub)

 1title: Suspicious Ping/Del Command Combination
 2id: 54786ddc-5b8a-11ed-9b6a-0242ac120002
 3status: test
 4description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
 5references:
 6    - https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack
 7    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
 8    - https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/
 9    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
10author: Ilya Krestinichev
11date: 2022-11-03
12modified: 2024-03-05
13tags:
14    - attack.defense-evasion
15    - attack.t1070.004
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
21    # Example: "C:\Windows\System32\cmd.exe"  /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
22    selection_count:
23        CommandLine|contains|windash: ' -n '
24    selection_nul:
25        CommandLine|contains: 'Nul' # Covers "> Nul" and ">Nul "
26    selection_del_param:
27        CommandLine|contains|windash:
28            - ' -f '
29            - ' -q '
30    selection_all:
31        CommandLine|contains|all:
32            - 'ping' # Covers "ping" and "ping.exe"
33            - 'del '
34    condition: all of selection_*
35falsepositives:
36    - Unknown
37level: high

References

Related rules

to-top