Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detection of Rhysida Ransomware #4639

Open
nischalkhadgi62 opened this issue Dec 25, 2023 · 1 comment
Open

Detection of Rhysida Ransomware #4639

nischalkhadgi62 opened this issue Dec 25, 2023 · 1 comment
Assignees
@nasbench
Labels
Work In Progress Some changes are needed

Comments

@nischalkhadgi62
Copy link

Description of the Idea of the Rule

Recently there has been surge in the activities of Rhysida Ransomware group and also it has been observed targeting large industries observing it's past attack and also with recent attacks on Insomniac Games, analyzing the sample there seems to be common pattern where it modifies registry settings for desktop wallpaper and at last uses powershell command to delete itself, therefore this rule has been created observing that pattern

Public References / Exampel Event Log

https://www.sentinelone.com/anthology/rhysida/
https://app.any.run/tasks/0654a60b-df51-45d3-a297-916af05920b7/
https://app.any.run/tasks/74c6bd6a-d12a-4515-8c39-8024b3f8d0b2/

Title: Rhysida Ransomware Activity
id: 247b704a-b50d-4532-bbad-600e61b955a9
status: Experimental
description: Detects Rhysida Ransomware activities in which registry setting related Desktop wallpaer are changed using reg.exe and identifies PowerShell commands attempting to delete the sample with a WindowStyle set to Hidden.
references:
    - https://app.any.run/tasks/74c6bd6a-d12a-4515-8c39-8024b3f8d0b2
    - https://app.any.run/tasks/0654a60b-df51-45d3-a297-916af05920b7
author: Nischal Khadgi
date: 2023/12/25
tags:
    - attack.defense_evasion
    - detection.emerging_threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg.exe:
        Image|endswith:
            - '\reg.exe'
        CommandLine|contains:
            - 'add'
            - 'delete'
        CommandLine|contains:
            - 'WallapaperStyle'
            - 'NoChangingWallPaper'
    selection_powershell:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'WindowStyle Hidden'
            - 'Sleep -Milliseconds'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical
@github-actions GitHub Actions
Copy link
Contributor

Welcome @nischalkhadgi62 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

@nasbench nasbench added the Work In Progress Some changes are needed label Dec 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nasbench nasbench

Labels
Work In Progress Some changes are needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nasbench @nischalkhadgi62