hari.senen 3 Posted May 17, 2022 Share Posted May 17, 2022 Hello, i wanna block stop DJVU using EEI Rule Set let's say they using this command C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe\ --Admin IsNotAutoStart IsNotTask and the executable C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe maybe the C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe is random so i create the ruleset like this <?xml version="1.0" encoding="utf-8"?> <rule> <severity>warning</severity> <definition> <process> <operator type="AND"> <condition component="FileItem" property="Extension" condition="is" value="exe" /> <operator type="AND"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin IsNotAutoStart IsNotTask" /> <operator type="OR"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotAutoStart" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotTask" /> <operator type="AND"> <condition component="LiveGrid" condition="less" property="Reputation" value="8" /> <condition component="Module" condition="isnot" property="SignatureType" value="Trusted" /> <condition component="Enterprise" condition="isnot" property="Safe" value="1" /> </operator> </operator> </operator> </operator> </process> </definition> <description> <name>STOP DJVU Process</name> <explanation> This is stop djvu encryption process. This file is payload dropper for encryption process STOP DJVU Ransomware. </explanation> <maliciousCauses> </maliciousCauses> <category> Default </category> <recommendedActions> [remediation:kill] [remediation:block] </recommendedActions> </description> <actions> <action name="BlockProcessExecutable" /> <action name="BlockParentProcessExecutable" /> <action name="CleanAndBlockProcessExecutable" /> </actions> </rule> the second one block the process when this command executed command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC) command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC) so i create this <?xml version="1.0" encoding="utf-8"?> <rule> <severity>warning</severity> <definition> <process> <operator type="AND"> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="icacls" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="deny *S-1-1-0:(OI)(CI)(DE,DC)" /> </operator> </process> </definition> <description> <name>STOP DJVU icacls Process</name> <explanation> This is stop djvu process use icacls process </explanation> <maliciousCauses> </maliciousCauses> <category> Default </category> <recommendedActions> [remediation:kill] [remediation:block] </recommendedActions> </description> <actions> <action name="BlockProcessExecutable" /> <action name="BlockParentProcessExecutable" /> </actions> </rule> and the third one create registry key with this data HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper data:\C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\701fd32c8bd585ae93d7e2d6.exe\ --AutoStart but i still don't know how to create it. my question is ? is the ruleset effective for stop djvu ransomware, if not is there another way ? how to create ruleset for registry in third one for djvu process Link to comment Share on other sites More sharing options...
Recommended Posts