Merge pull request #201 from microsoft/mjmelone-patch-37

tali-ash · web-flow · commit 3bc695dc1c38 · 2020-08-17T12:19:33.000+03:00
Create WastedLocker.csl
diff --git a/Campaigns/WastedLocker.csl b/Campaigns/WastedLocker.csl
@@ -0,0 +1,7 @@
+///////////////////////////////////////////////////////
+// This query identifies the launch pattern associated 
+// with wastedlocker ransomware.
+// reference writeup: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
+///////////////////////////////////////////////////////
+DeviceProcessEvents
+| where InitiatingProcessFileName =~ 'wscript.exe' and FileName =~ 'powershell.exe' and InitiatingProcessCommandLine matches regex @"(?i)\\chrome\.update\..+?\.js"
