Sponsored by
Detects wannacry killswitch domain dns queries
title: Wannacry Killswitch Domain
id: 3eaf6218-3bed-4d8a-8707-274096f12a18
status: test
description: Detects wannacry killswitch domain dns queries
author: Mike Wade
references:
- https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html
date: 2020/09/16
modified: 2021/11/27
logsource:
category: dns
detection:
selection:
query:
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
- 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- ''
condition: selection
falsepositives:
- Analyst testing
level: high
tags:
- attack.command_and_control
- attack.t1071.001