WanaCrypt v1 Detection Rule

Version 1

    Disclaimer: You shouldn't really be relying on your SIEM to protect you from ransom- and mal-ware.  LEM is not an antivirus or malware scanner.  Also, I didn't have a lab isolated enough that I felt comfortable deploying the actual virus code, so this is an approximation of the sorts of events you might see.  I provide this more as a guide for what you might look for than as a bullet-proof "out of the box" rule.

     

    This rule is "v1" because it looks for the web traffic to the kill-switch domains.  This kill-switch appears to have been removed in newer versions on WanaCrypt, so you'd need to remove those correlation conditions for new versions.

     

    As with all things LEM, the rule assumes you have auditing configured and operating in such a way that the required events are generated and communicated to the LEM.  In this example, that means LEM knows about web traffic, registry and file modifications, service events and process creation events, to name a few.  If you're not auditing one or more of those things, you'll need to decide if you want to adjust the rule or your auditing to compensate.

     

    I used the description and information from this article to get started on this rule: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt

     

    If you haven't yet patched all your machines with MS17-010, you should go do that.  I've also created a report for Patch Manager to help with that task: UPDATED - Computer Update Status - WanaCrypt (MS17-010) - v2