hayabusa/rules/Sigma/win_malware_wannacry.yml

title: WannaCry Ransomware
author: Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan
    Ribeiro
date: 2019/01/16
description: Detects WannaCry ransomware activity
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_10:
        Image: '*\linuxnew.exe'
    SELECTION_11:
        Image: '*\wannacry.exe'
    SELECTION_12:
        Image: '*WanaDecryptor*'
    SELECTION_13:
        CommandLine: '*icacls*'
    SELECTION_14:
        CommandLine: '*/grant*'
    SELECTION_15:
        CommandLine: '*Everyone:F*'
    SELECTION_16:
        CommandLine: '*/T*'
    SELECTION_17:
        CommandLine: '*/C*'
    SELECTION_18:
        CommandLine: '*/Q*'
    SELECTION_19:
        CommandLine: '*bcdedit*'
    SELECTION_2:
        Image: '*\tasksche.exe'
    SELECTION_20:
        CommandLine: '*/set*'
    SELECTION_21:
        CommandLine: '*{default}*'
    SELECTION_22:
        CommandLine: '*recoveryenabled*'
    SELECTION_23:
        CommandLine: '*no*'
    SELECTION_24:
        CommandLine: '*wbadmin*'
    SELECTION_25:
        CommandLine: '*delete*'
    SELECTION_26:
        CommandLine: '*catalog*'
    SELECTION_27:
        CommandLine: '*-quiet*'
    SELECTION_28:
        CommandLine: '*@Please_Read_Me@.txt*'
    SELECTION_3:
        Image: '*\mssecsvc.exe'
    SELECTION_4:
        Image: '*\taskdl.exe'
    SELECTION_5:
        Image: '*\taskhsvc.exe'
    SELECTION_6:
        Image: '*\taskse.exe'
    SELECTION_7:
        Image: '*\111.exe'
    SELECTION_8:
        Image: '*\lhdfrgui.exe'
    SELECTION_9:
        Image: '*\diskpart.exe'
    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
        or SELECTION_11) or SELECTION_12 or (SELECTION_13 and SELECTION_14 and SELECTION_15
        and SELECTION_16 and SELECTION_17 and SELECTION_18) or (SELECTION_19 and SELECTION_20
        and SELECTION_21 and SELECTION_22 and SELECTION_23) or (SELECTION_24 and SELECTION_25
        and SELECTION_26 and SELECTION_27) or SELECTION_28))
falsepositives:
- Diskpart.exe usage to manage partitions on the local hard drive
fields:
- CommandLine
- ParentCommandLine
id: 41d40bff-377a-43e2-8e1b-2e543069e079
level: critical
logsource:
    category: process_creation
    product: windows
modified: 2020/09/01
references:
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
status: experimental
tags:
- attack.lateral_movement
- attack.t1210
- attack.discovery
- attack.t1083
- attack.defense_evasion
- attack.t1222.001
- attack.t1222
- attack.impact
- attack.t1486
- attack.t1490
yml_filename: win_malware_wannacry.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation