Find sigma rule

Attack: Command and Scripting Interpreter: Windows Command Shell

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.(Citation: SSH in Windows)

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.

MITRE

Tactic

execution

technique

T1059.003

Test : Simulate BlackByte Ransomware Print Bombing

OS

windows

Description:

This test attempts to open a file a specified number of times in Wordpad, then prints the contents. It is designed to mimic BlackByte ransomware’s print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. See https://redcanary.com/blog/blackbyte-ransomware/.

Executor

powershell

Sigma Rule

proc_creation_win_malware_blackbyte_ransomware.yml (id: 999e8307-a775-4d5f-addc-4855632335be)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test