title: WannaCry Ransomware author: Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro date: 2019/01/16 description: Detects WannaCry ransomware activity detection: SELECTION_1: EventID: 1 SELECTION_10: CommandLine: '*bcdedit*' SELECTION_11: CommandLine: '*/set*' SELECTION_12: CommandLine: '*{default}*' SELECTION_13: CommandLine: '*recoveryenabled*' SELECTION_14: CommandLine: '*no*' SELECTION_15: CommandLine: '*wbadmin*' SELECTION_16: CommandLine: '*delete*' SELECTION_17: CommandLine: '*catalog*' SELECTION_18: CommandLine: '*-quiet*' SELECTION_19: CommandLine: '*@Please_Read_Me@.txt*' SELECTION_2: Image: - '*\tasksche.exe' - '*\mssecsvc.exe' - '*\taskdl.exe' - '*\taskhsvc.exe' - '*\taskse.exe' - '*\111.exe' - '*\lhdfrgui.exe' - '*\diskpart.exe' - '*\linuxnew.exe' - '*\wannacry.exe' SELECTION_3: Image: '*WanaDecryptor*' SELECTION_4: CommandLine: '*icacls*' SELECTION_5: CommandLine: '*/grant*' SELECTION_6: CommandLine: '*Everyone:F*' SELECTION_7: CommandLine: '*/T*' SELECTION_8: CommandLine: '*/C*' SELECTION_9: CommandLine: '*/Q*' condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or (SELECTION_4 and SELECTION_5 and SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10 and SELECTION_11 and SELECTION_12 and SELECTION_13 and SELECTION_14) or (SELECTION_15 and SELECTION_16 and SELECTION_17 and SELECTION_18) or SELECTION_19)) falsepositives: - Diskpart.exe usage to manage partitions on the local hard drive fields: - CommandLine - ParentCommandLine id: 41d40bff-377a-43e2-8e1b-2e543069e079 level: critical logsource: category: process_creation product: windows modified: 2020/09/01 references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 status: experimental tags: - attack.lateral_movement - attack.t1210 - attack.discovery - attack.t1083 - attack.defense_evasion - attack.t1222.001 - attack.t1222 - attack.impact - attack.t1486 - attack.t1490 ruletype: SIGMA