BlackSuit Extension File Rename

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects file renaming activity associated with BlackSuit ransomware behavior, typically involving encryption-related extension changes during post-compromise file modification.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "File Created or Modified" AND (OBJECTNAME endswith ".blacksuit" OR FILENAME endswith ".blacksuit") select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.OBJECTNAME,Action1.FILENAME,Action1.PROCESSNAME,Action1.FILETYPE,Action1.ACCESSLIST

Detection

Execution Mode

realtime

Log Sources

Windows