title: Antivirus Ransomware Detection
id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
status: test
description: |
    Detects a highly relevant Antivirus alert that reports ransomware.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
    - https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7
    - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
    - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
    - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
    - https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2022-05-12
modified: 2024-11-02
tags:
    - attack.t1486
    - attack.impact
logsource:
    category: antivirus
detection:
    selection:
        Signature|contains:
            - 'BlackWorm'
            - 'Chaos'
            - 'Cobra'
            - 'ContiCrypt'
            - 'Crypter'
            - 'CRYPTES'
            - 'Cryptor'
            - 'CylanCrypt'
            - 'DelShad'
            - 'Destructor'
            - 'Filecoder'
            - 'GandCrab'
            - 'GrandCrab'
            - 'Haperlock'
            - 'Hiddentear'
            - 'HydraCrypt'
            - 'Krypt'
            - 'Lockbit'
            - 'Locker'
            - 'Mallox'
            - 'Phobos'
            - 'Ransom'
            - 'Ryuk'
            - 'Ryzerlo'
            - 'Stopcrypt'
            - 'Tescrypt'
            - 'TeslaCrypt'
            - 'WannaCry'
            - 'Xorist'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: AWS KMS Imported Key Material Usage
id: 1279262f-1464-422f-ac0d-5b545320c526
status: experimental
description: |
    Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
references:
    - https://www.chrisfarris.com/post/effective-aws-ransomware/
    - https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html
    - https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html
author: toopricey
date: 2025-10-18
tags:
    - attack.impact
    - attack.t1486
    - attack.resource-development
    - attack.t1608.003
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'kms.amazonaws.com'
        eventName:
            - 'ImportKeyMaterial'
            - 'DeleteImportedKeyMaterial'
    condition: selection
falsepositives:
    - Legitimate use cases for imported key material are rare, but may include, Organizations with hybrid cloud architectures that import external key material for compliance requirements.
    - Development or testing environments that simulate external key management scenarios. Even in these cases, such activity is typically infrequent and should not add significant noise.
level: high

title: Load Of RstrtMgr.DLL By A Suspicious Process
id: b48492dc-c5ef-4572-8dff-32bc241c15c8
related:
    - id: 3669afd2-9891-4534-a626-e5cf03810a61
      type: derived
status: test
description: |
    Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
    This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
    It could also be used for anti-analysis purposes by shut downing specific processes.
references:
    - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
    - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
    - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
    - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
author: Luc Génaux
date: 2023-11-28
tags:
    - attack.impact
    - attack.defense-impairment
    - attack.t1486
    - attack.t1685
logsource:
    category: image_load
    product: windows
detection:
    selection_img:
        - ImageLoaded|endswith: '\RstrtMgr.dll'
        - OriginalFileName: 'RstrtMgr.dll'
    selection_folders_1:
        Image|contains:
            # Note: increase coverage by adding more suspicious paths
            - ':\Perflogs\'
            - ':\Users\Public\'
            - '\Temporary Internet'
    selection_folders_2:
        - Image|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - Image|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - Image|contains|all:
              - ':\Users\'
              - '\Contacts\'
    condition: selection_img and 1 of selection_folders_*
falsepositives:
    - Processes related to software installation
level: high

title: Renamed Gpg.EXE Execution
id: ec0722a3-eb5c-4a56-8ab2-bf6f20708592
status: test
description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
references:
    - https://securelist.com/locked-out/68960/
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-08-09
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: 'gpg.exe'
    filter_main_img:
        Image|endswith:
            - '\gpg.exe'
            - '\gpg2.exe'
    condition: selection and not 1 of filter_main_*
level: high

title: Suspicious Reg Add BitLocker
id: 0e0255bf-2548-47b8-9582-c0955c9283f5
status: test
description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
references:
    - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
author: frack113
date: 2021-11-15
modified: 2022-09-09
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'REG'
            - 'ADD'
            - '\SOFTWARE\Policies\Microsoft\FVE'
            - '/v'
            - '/f'
        CommandLine|contains:
            - 'EnableBDEWithNoTPM'
            - 'UseAdvancedStartup'
            - 'UseTPM'
            - 'UseTPMKey'
            - 'UseTPMKeyPIN'
            - 'RecoveryKeyMessageSource'
            - 'UseTPMPIN'
            - 'RecoveryKeyMessage'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: AWS EC2 Disable EBS Encryption
id: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223
status: stable
description: |
  Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.
  Disabling default encryption does not change the encryption status of your existing volumes.
references:
    - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
author: Sittikorn S
date: 2021-06-29
modified: 2021-08-20
tags:
    - attack.impact
    - attack.t1486
    - attack.t1565
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: ec2.amazonaws.com
        eventName: DisableEbsEncryptionByDefault
    condition: selection
falsepositives:
    - System Administrator Activities
    - DEV, UAT, SAT environment. You should apply this rule with PROD account only.
level: medium

title: Microsoft 365 - Potential Ransomware Activity
id: bd132164-884a-48f1-aa2d-c6d646b04c69
status: test
description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1486
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Potential ransomware activity'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Portable Gpg.EXE Execution
id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41
status: test
description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
references:
    - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a
    - https://securelist.com/locked-out/68960/
    - https://github.com/redcanaryco/atomic-red-team/blob/c4097dc7ed14d7f7d08c89d148c4307097e8c294/atomics/T1486/T1486.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-06
modified: 2023-11-10
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\gpg.exe'
              - '\gpg2.exe'
        - OriginalFileName: 'gpg.exe'
        - Description: 'GnuPG’s OpenPGP tool'
    filter_main_legit_location:
        Image|contains:
            - ':\Program Files (x86)\GNU\GnuPG\bin\'
            - ':\Program Files (x86)\GnuPG VS-Desktop\'
            - ':\Program Files (x86)\GnuPG\bin\'
            - ':\Program Files (x86)\Gpg4win\bin\'
    condition: selection and not 1 of filter_main_*
level: medium

title: Suspicious Appended Extension
id: e3f673b3-65d1-4d80-9146-466f8b63fa99
status: test
description: Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
references:
    - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/
    - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
author: frack113
date: 2022-07-16
modified: 2023-11-11
tags:
    - attack.impact
    - attack.t1486
logsource:
    product: windows
    category: file_rename
    definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'
detection:
    selection:
        SourceFilename|endswith:
            - '.doc'
            - '.docx'
            - '.jpeg'
            - '.jpg'
            - '.lnk'
            - '.pdf'
            - '.png'
            - '.pst'
            - '.rtf'
            - '.xls'
            - '.xlsx'
        TargetFilename|contains:
            - '.doc.'
            - '.docx.'
            - '.jpeg.'
            - '.jpg.'
            - '.lnk.'
            - '.pdf.'
            - '.png.'
            - '.pst.'
            - '.rtf.'
            - '.xls.'
            - '.xlsx.'
    filter_main_generic:
        TargetFilename|endswith:
            # Note: Please add more used extensions by backup or recovery software
            - '.backup'
            - '.bak'
            - '.old'
            - '.orig'
            - '.temp'
            - '.tmp'
    filter_optional_anaconda:
        TargetFilename|contains: ':\ProgramData\Anaconda3\'
        TargetFilename|endswith: '.c~'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Backup software
level: medium

title: Load Of RstrtMgr.DLL By An Uncommon Process
id: 3669afd2-9891-4534-a626-e5cf03810a61
related:
    - id: b48492dc-c5ef-4572-8dff-32bc241c15c8
      type: derived
status: test
description: |
    Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.
    This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
    It could also be used for anti-analysis purposes by shut downing specific processes.
references:
    - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
    - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
    - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
    - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
author: Luc Génaux
date: 2023-11-28
modified: 2025-12-08
tags:
    - attack.impact
    - attack.defense-impairment
    - attack.t1486
    - attack.t1685
logsource:
    category: image_load
    product: windows
detection:
    selection:
        - ImageLoaded|endswith: '\RstrtMgr.dll'
        - OriginalFileName: 'RstrtMgr.dll'
    filter_main_generic:
        Image|startswith:
            - C:\$WINDOWS.~BT\'
            - C:\$WinREAgent\'
            - C:\Program Files (x86)\'
            - C:\Program Files\'
            - C:\ProgramData\'
            - C:\Windows\explorer.exe'
            - C:\Windows\SoftwareDistribution\'
            - C:\Windows\SysNative\'
            - C:\Windows\System32\'
            - C:\Windows\SysWOW64\'
            - C:\Windows\WinSxS\'
            - C:\WUDownloadCache\'
    filter_main_user_software_installations:
        Image|startswith: C:\Users\'
        Image|contains|all:
            - '\AppData\Local\Temp\is-'
            - '.tmp\'
        Image|endswith: '.tmp'
    filter_main_admin_software_installations:
        Image|startswith: C:\Windows\Temp\'
    filter_optional_onedrive:
        Image|startswith: 'C:\Users\'
        Image|endswith: '\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other legitimate Windows processes not currently listed
    - Processes related to software installation
level: low