CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
88b7593ea99dbae9eb4e46edd68c76372c07f078
hayabusa/rules/sigma/process_creation/win_crime_snatch_ransomware.yml
T
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

34 lines
816 B
YAML
Raw Blame History

title: Snatch Ransomware
ruletype: Sigma
author: Florian Roth
date: 2020/08/26
description: Detects specific process characteristics of Snatch ransomware word document
droppers
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*shutdown /r /f /t 00*'
- '*net stop SuperBackupMan*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
fields:
- ComputerName
- User
- Image
id: 5325945e-f1f0-406e-97b8-65104d393fff
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
status: test
tags:
- attack.execution
- attack.t1204
Reference in New Issue View Git Blame Copy Permalink