Permalink
Browse files

Bad Rabbit rule.

  • Loading branch information...
Champ Clark III
Champ Clark III committed Oct 25, 2017
1 parent 0d786c6 commit 8557a59bc4ab1323e39d5ab83ea180750b32c001
Showing with 7 additions and 1 deletion.
  1. +1 −1 .last_used_sid
  2. +1 −0 sagan-sid-msg.map
  3. +5 −0 windows-malware.rules
@@ -1 +1 @@
5003203
5003204
@@ -3091,6 +3091,7 @@
5003201 || [WINDOWS-MALWARE] CryptoMix ransomware extension detected. || url,www.bleepingcomputer.com/news/security/new-error-cryptomix-ransomware-variant-released/ || url,wiki.quadrantsec.com/bin/view/Main/5003202
5003202 || [WINDOWS-MALWARE] Locky/CryptoMix ransomware note detected || url,www.bleepingcomputer.com/news/security/new-error-cryptomix-ransomware-variant-released/ || url,wiki.quadrantsec.com/bin/view/Main/5003202
5003203 || [WINDOWS-AUTH] SAM Database Unable to Lock Account || url,technet.microsoft.com/en-us/library/cc733228(v=ws.10).aspx || url,wiki.quadrantsec.com/bin/view/Main/5003203
5003204 || [WINDOWS-MALWARE] Bad Rabbit Malware scheduled task detected || url,wiki.quadrantsec.com/bin/view/Main/5003204 || url,blog.talosintelligence.com/2017/10/bad-rabbit.html
6000510 || [OSSEC] Level 7 - Host-based anomaly detection event (rootcheck). (ossec_rules.xml:ossec)
6000513 || [OSSEC] Level 9 - Windows malware detected. (ossec_rules.xml:ossec)
6000518 || [OSSEC] Level 9 - Windows Adware/Spyware application found. (ossec_rules.xml:ossec)
@@ -308,3 +308,8 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoMix r
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky/CryptoMix ransomware note detected"; pcre: "/ 4663: | 567: | 5145: /"; meta_nocase; content: "_HELP_instructions.txt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5003202; reference: url,www.bleepingcomputer.com/news/security/new-error-cryptomix-ransomware-variant-released/; sid:5003202; rev:1;)
# Steve Rawls - Bad Rabbit.
alert any any any -> any any (msg: "[WINDOWS-MALWARE] Bad Rabbit Malware scheduled task detected"; content: "scheduled task"; nocase; meta_content: "%sagan%", viserion_,rhaegal,drogon ; meta_nocase; pcre: "/ 602: | 4698: /"; classtype: trojan-activity; program: Security*; reference: url,blog.talosintelligence.com/2017/10/bad-rabbit.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003204; sid:5003204; rev:1;)

0 comments on commit 8557a59

Please sign in to comment.