Update WannaCry Ransomware Activity #5131

nasbench · 2024-12-16T12:49:08Z

Update https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml to remove the following section

- CommandLine|contains|all:
              - 'icacls'
              - '/grant'
              - 'Everyone:F'
              - '/T'
              - '/C'
              - '/Q'
        - CommandLine|contains|all:
              - 'bcdedit'
              - '/set'
              - '{default}'
              - 'recoveryenabled'
              - 'no'
        - CommandLine|contains|all:
              - 'wbadmin'
              - 'delete'
              - 'catalog'
              - '-quiet'

This section isn't specific to WannaCry and we already have generic coverage for it. See https://x.com/nas_bench/status/1868639048484425963

nasbench added the Create Pull-Request issues that should be provided as a pull request label Dec 16, 2024

nasbench self-assigned this Dec 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update WannaCry Ransomware Activity #5131

Update WannaCry Ransomware Activity #5131

nasbench commented Dec 16, 2024

Update WannaCry Ransomware Activity #5131

Update WannaCry Ransomware Activity #5131

Comments

nasbench commented Dec 16, 2024