Sigma rules for REvil
4 rules · scoped to tool · back to REvil
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
id: c1337eb8-921a-4b59-855b-4ba188ddcc42
related:
- id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
type: derived
- id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40
type: similar
status: test
description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
- https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
author: Tim Rauch, frack113
date: 2022-09-20
modified: 2022-12-02
tags:
- attack.impact
- attack.t1490
logsource:
category: ps_script
product: windows
detection:
selection_get:
ScriptBlockText|contains:
- 'Get-WmiObject'
- 'gwmi'
- 'Get-CimInstance'
- 'gcim'
selection_shadowcopy:
ScriptBlockText|contains: 'Win32_ShadowCopy'
selection_delete:
ScriptBlockText|contains:
- '.Delete()'
- 'Remove-WmiObject'
- 'rwmi'
- 'Remove-CimInstance'
- 'rcim'
condition: all of selection*
falsepositives:
- Unknown
level: high
title: PUA - Rclone Execution
id: e37db05d-d1f9-49c8-b464-cee1a4b11638
related:
- id: a0d63692-a531-4912-ad39-4393325b2a9c
type: obsolete
- id: cb7286ba-f207-44ab-b9e6-760d82b84253
type: obsolete
status: test
description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group
date: 2021-05-10
modified: 2023-03-05
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: process_creation
detection:
selection_specific_options:
CommandLine|contains|all:
- '--config '
- '--no-check-certificate '
- ' copy '
selection_rclone_img:
- Image|endswith: '\rclone.exe'
- Description: 'Rsync for cloud storage'
selection_rclone_cli:
CommandLine|contains:
- 'pass'
- 'user'
- 'copy'
- 'sync'
- 'config'
- 'lsd'
- 'remote'
- 'ls'
- 'mega'
- 'pcloud'
- 'ftp'
- 'ignore-existing'
- 'auto-confirm'
- 'transfers'
- 'multi-thread-streams'
- 'no-check-certificate '
condition: selection_specific_options or all of selection_rclone_*
falsepositives:
- Unknown
level: high
title: Deletion of Volume Shadow Copies via WMI with PowerShell
id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40
related:
- id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
type: derived
- id: c1337eb8-921a-4b59-855b-4ba188ddcc42
type: similar
status: test
description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
- https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-20
modified: 2022-12-30
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_get:
CommandLine|contains:
- 'Get-WmiObject'
- 'gwmi'
- 'Get-CimInstance'
- 'gcim'
selection_shadowcopy:
CommandLine|contains: 'Win32_ShadowCopy'
selection_delete:
CommandLine|contains:
- '.Delete()'
- 'Remove-WmiObject'
- 'rwmi'
- 'Remove-CimInstance'
- 'rcim'
condition: all of selection*
falsepositives:
- Unknown
level: high
title: Renamed MegaSync Execution
id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b
status: test
description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
references:
- https://redcanary.com/blog/rclone-mega-extortion/
author: Sittikorn S
date: 2021-06-22
modified: 2023-02-03
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
selection:
OriginalFileName: 'megasync.exe'
filter:
Image|endswith: '\megasync.exe'
condition: selection and not filter
falsepositives:
- Software that illegally integrates MegaSync in a renamed form
- Administrators that have renamed MegaSync
level: high