title: Snatch Ransomware
author: Florian Roth
date: 2020/08/26
description: Detects specific process characteristics of Snatch ransomware word document
  droppers
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine:
    - '*shutdown /r /f /t 00*'
    - '*net stop SuperBackupMan*'
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
fields:
- ComputerName
- User
- Image
id: 5325945e-f1f0-406e-97b8-65104d393fff
level: critical
logsource:
  category: process_creation
  product: windows
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
status: experimental
tags:
- attack.execution
- attack.t1204
ruletype: SIGMA