Holygh0st
title: North Korean Threat Actors uses New H0lyGh0st Ransomware [CVE-2022-26352] (via process_creation) description: This rule detects suspicious schtask.exe activity during the attack. author: Aytek Aytemur references:
- https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/ status: stable tags:
- attack.t1053
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- ‘/create’
- ‘/tn’
- ‘lockertask’ condition: selection falsepositives:
- unknown level: high id: 0fdd0423-8cd2-4bc3-b852-f91bd659e118
title: Detection of H0lyGh0st Ransomware Activity Used by North Korean Threat Actors (via proxy) status: stable description: A group of actors originating from North Korea, Microsoft Team tracks as DEV-0530 (tied to PLUTONIUM APT) has been developing and using ransomware in attacks. Ransomware families used by DEV-0530 known as member of SiennaPurple and SiennaBlue family which in use since 2021. references:
- https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/ author: Muhammed Hamdi Akin date: 2022/07/14 tags:
- attack.t1102
- attack.command_and_control
logsource:
category: proxy
detection:
selection:
c-uri|contains:
- access.php?order=GetPubkey&cmn
- access.php?order=golc_key_add&cmn
- access.php?order=golc_finish&cmn condition: selection fields:
- c-uri falsepositives:
- Unlikely level: high id: a84bcd01-55ba-4389-86e6-44f6cfad7259