50 lines
1.8 KiB
YAML
50 lines
1.8 KiB
YAML
|
|
title: REvil Kaseya Incident Malware Patterns
|
|
author: Florian Roth
|
|
date: 2021/07/03
|
|
description: Detects process command line patterns and locations used by REvil group
|
|
in Kaseya incident (can also match on other malware)
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
CommandLine:
|
|
- '*C:\Windows\cert.exe*'
|
|
- '*Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem
|
|
$true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess
|
|
Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled*'
|
|
- '*del /q /f c:\kworking\agent.crt*'
|
|
- '*Kaseya VSA Agent Hot-fix*'
|
|
- '*\AppData\Local\Temp\MsMpEng.exe*'
|
|
- '*rmdir /s /q %SystemDrive%\inetpub\logs*'
|
|
- '*del /s /q /f %SystemDrive%\\*.log*'
|
|
- '*c:\kworking1\agent.exe*'
|
|
- '*c:\kworking1\agent.crt*'
|
|
SELECTION_3:
|
|
Image:
|
|
- C:\Windows\MsMpEng.exe
|
|
- C:\Windows\cert.exe
|
|
- C:\kworking\agent.exe
|
|
- C:\kworking1\agent.exe
|
|
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
|
|
falsepositives:
|
|
- Unknown
|
|
id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5
|
|
level: critical
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
modified: 2021/07/05
|
|
references:
|
|
- https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
|
|
- https://www.joesandbox.com/analysis/443736/0/html
|
|
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
|
|
- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
|
|
- https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
|
|
status: experimental
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059
|
|
- attack.g0115
|
|
ruletype: SIGMA
|