Tag: Rule of the Week

Rule of the Week: Thanos Ransomware

Today in the Rule of the Week section, we suggest paying attention to the rule published by Emir Erdogan. The new rule helps detect Thanos ransomware, which weaponized RIPlace tactic to bypass anti-ransomware solutions: https://tdm.socprime.com/tdm/info/QvmZLqPG91bq/LYA4D3MBSh4W_EKGVfTV/?p=1 Thanos ransomware first appeared at the end of last year, and its authors advertised it in underground forums and closed […]

Read More
Rule of the Week: Cobalt Strike Delivered via Multi-Stage APT Attack

This month, researchers discovered a multi-stage attack conducted by an undefined APT group. During this attack, adversaries used the Malleable C2 feature in Cobalt Strike to perform C&C communications and deliver the final payload. Researchers note that attackers use advanced evasion techniques. They observed an intentional delay in executing the payload from the malicious Word […]

Read More
Rule of the Week: Qbot Trojan Detection

And again, we want to highlight the content for detecting QBot malware in the Rule of the Week section. About a month ago, a simple but effective rule from Emir Erdogan was already published in this section. But the twelve-year-old Trojan continues to evolve, and just a couple of days ago, fresh samples of this […]

Read More
Rule of the Week: Command Execution on Azure VM

In the Rule of the Week section, we present you the Command Execution on Azure VM (via azureactivity) rule by SOC Prime Team: https://tdm.socprime.com/tdm/info/A5uYMlcWOmeq/RYxlfnIB1-hfOQirCXZy/?p=1#   Adversaries can misuse Azure VM functionality to establish a foothold in an environment, which could be used to persist access and escalate privileges. They can exploit the Run Command feature that […]

Read More
Rule of the Week: QakBot Malware Detection

QakBot banking trojan (aka QBot) has been used in attacks on organizations for over 10 years, and its authors continuously monitor threat landscape trends adding new features or removing them if they don’t work properly. In 2017, this malware possessed worm-like capabilities and was capable of locking Active Directory users to make additional damage to […]

Read More
Rule of the Week: Nefilim/Nephilim Ransomware Detection

This week we want to highlight the community Sigma rule by Emir Erdogan that helps detect Nefilim/Nephilim ransomware used in destructive attacks. This ransomware family was first discovered two months ago, and its code is based on NEMTY ransomware which emerged last summer as a public affiliate program. It looks like NEMTY forked into two […]

Read More