30 lines
1.7 KiB
Plaintext
30 lines
1.7 KiB
Plaintext
rule Ransom_Lockbit {
|
|
meta:
|
|
description= "Detect the risk of Ransomware Lockbit Rule 1"
|
|
hash1 = "717585e9605ac2a971b7c7537e6e311bab9db02ecc6451e0efada9b2ff38b474"
|
|
strings:
|
|
$x1 = "powershell.exe -Command \"Get-ADComputer -filter * -Searchbase '%s' | foreach{ Invoke-GPUpdate -computer $_.name -force -RandomD" wide
|
|
$x2 = "cmd.exe /c \"shutdown.exe /r /f /t 0\"" fullword wide
|
|
$x3 = "C:\\Windows\\System32\\taskkill.exe" fullword wide
|
|
$s4 = "\"C:\\Windows\\system32\\mshta.exe\" \"%s\"" fullword wide
|
|
$s5 = "<Exec><Command>%s</Command><Arguments>%s</Arguments></Exec>" fullword wide
|
|
$s6 = " /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 \"%s\" & Del /f /q \"%s\"" fullword wide
|
|
$s7 = "C:\\windows\\system32\\%02X%02X%02X.ico" fullword wide
|
|
$s8 = "\\??\\C:\\windows\\system32\\%02X%02X%02X.ico" fullword wide
|
|
$s9 = "%%DesktopDir%%\\%02X%02X%02X.exe" fullword wide
|
|
$s10 = "%02X%02X%02X.exe" fullword wide
|
|
$s11 = "\\Registry\\Machine\\Software\\Classes\\Lockbit\\shell\\Open\\Command" fullword wide
|
|
$s12 = "You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, " wide
|
|
$s13 = "\\\\%s\\ROOT\\CIMV2" fullword wide
|
|
$s14 = "https://tox.chat/download.html" fullword wide
|
|
$s15 = "LDAP://CN=%s,CN=Policies,CN=System,DC=%s,DC=%s" fullword wide
|
|
$s16 = "\\LockBit_Ransomware.hta" fullword wide
|
|
$s17 = "https://bigblog.at" fullword wide
|
|
$s18 = "\\NetworkShares.xml" fullword wide
|
|
$s19 = "\\Services.xml" fullword wide
|
|
$s20 = "RESTORE-MY-FILES.TXT" fullword wide
|
|
condition:
|
|
uint16(0) == 0x5a4d and
|
|
5 of them
|
|
}
|