Vendor: SkySea
June 14, 2023 · View on GitHub
Product: ClientView
Use-Case: Ransomware
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 8 | 0 | 10 | 6 | 6 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ Auth-Ransomware-Shost: User authentication or login from a known ransomware IP | |
| app-login | T1078 - Valid Accounts ↳ Auth-Ransomware-Shost: User authentication or login from a known ransomware IP | |
| file-write | T1486 - Data Encrypted for Impact ↳ FA-EXT: A file has been written and is suspected of Ransomware on host | |
| process-created | T1070 - Indicator Removal on Host ↳ A-Fsutil-Sus-Invocation: Suspicious parameters of fsutil were detected on this asset. ↳ Fsutil-Sus-Invocation: Suspicious parameters of fsutil were detected. T1003.001 - T1003.001 ↳ A-NotPetya-Activity: NotPetya Ransomware Activity detected on this asset ↳ NotPetya-Activity: NotPetya Ransomware Activity detected T1070.001 - Indicator Removal on Host: Clear Windows Event Logs ↳ A-NotPetya-Activity: NotPetya Ransomware Activity detected on this asset ↳ NotPetya-Activity: NotPetya Ransomware Activity detected T1218.011 - Signed Binary Proxy Execution: Rundll32 ↳ A-NotPetya-Activity: NotPetya Ransomware Activity detected on this asset ↳ NotPetya-Activity: NotPetya Ransomware Activity detected T1059.003 - T1059.003 ↳ A-WannaCry: Artifacts seen by WannaCry malware have been observed on this asset T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification ↳ A-WannaCry: Artifacts seen by WannaCry malware have been observed on this asset T1486 - Data Encrypted for Impact ↳ A-WannaCry: Artifacts seen by WannaCry malware have been observed on this asset T1490 - Inhibit System Recovery ↳ A-WannaCry: Artifacts seen by WannaCry malware have been observed on this asset | |
| web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UI-Ransomware: User attempted to connect to IP address which is associated to Ransomware | |
| web-activity-denied | T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UI-Ransomware: User attempted to connect to IP address which is associated to Ransomware |