BlackSuit Extension File Rename
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects file renaming activity associated with BlackSuit ransomware behavior, typically involving encryption-related extension changes during post-compromise file modification.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "File Created or Modified" AND (OBJECTNAME endswith ".blacksuit" OR FILENAME endswith ".blacksuit")
select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.OBJECTNAME,Action1.FILENAME,Action1.PROCESSNAME,Action1.FILETYPE,Action1.ACCESSLIST
Detection
Execution Mode
realtime
Log Sources
Windows


