This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

WannaCry Alert

dcokers over 6 years ago

Has anyone created a WannaCry LEM alert. This threat might have subsided due to the Kill switch but I am thinking others are coming.

Based on a few blog posts I have read I created a rule that looks on our file server for the below files.

@Please_Read_Me@.txt

testonly.wnry

.wcry

.wncry

.wncryt

This is what I have so far, but I was interested in others feedback.

Top Replies

0 jeremymayfield over 6 years ago

I have it sending an email and disabling networking
Cancel
Vote Up 0 Vote Down

Cancel
0 jeremymayfield over 6 years ago

Well i wanted to have it kill network but its asking me for an agent and i don't know what to put in there.
Cancel
Vote Up 0 Vote Down

Cancel
0 dcokers over 6 years ago in reply to jeremymayfield

Are you able to monitor file creation without the agent and FIM going?
Cancel
Vote Up 0 Vote Down

Cancel
0 jeremymayfield over 6 years ago in reply to dcokers

I got an error when i added in the action disable Networking, needs agent details.
Cancel
Vote Up 0 Vote Down

Cancel
0 jeremymayfield over 6 years ago in reply to dcokers
Cancel
Vote Up 0 Vote Down

Cancel
0 dcokers over 6 years ago in reply to jeremymayfield

My question is that I am only getting logs from my file server. The file server is my biggest concern, it has the LEM agent installed and is setup as FIM.
So if my PC writes a file to the file server my alert comes from my server, not my PC. So I can't shutdown the IP of the PC, just the file server. Is this normal or should I also be getting alerts from my PC.
Here is a sample monitor I received.
Cancel
Vote Up 0 Vote Down

Cancel
0 sparda963 over 6 years ago

What kind of setup do you have in your FIM connector to detect file name changes? I have not been able to get a combination that will detect file name changes for some reason yet.
I think your rule would work based on that though for alerting purposes.
Cancel
Vote Up 0 Vote Down

Cancel
0 curtisi over 6 years ago

Here's my attempt:
WanaCrypt v1 Detection Rule
Cancel
Vote Up +2 Vote Down

Cancel
0 jvb over 6 years ago in reply to jeremymayfield

jeremymayfield ... I believe you would just drag the FileAudit.DetectionIP over to that field:
Cancel
Vote Up +1 Vote Down

Cancel
0 jvb over 6 years ago in reply to dcokers

dcokers ... That would be normal.... You would have to be specifically monitoring those nodes in LEM in order to get alerts from or disable them.
Cancel
Vote Up +1 Vote Down

Cancel