Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathightest

BlueSky Ransomware Artefacts

Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
j4sonCreated Tue May 23eee8311f-a752-44f0-bf2f-6b007db163002022
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic4 selectors
detection:
    selection_access_eid:
        EventID:
            - 4663
            - 4656
    selection_access_data:
        - ObjectName|endswith: '.bluesky'
        - ObjectName|contains: 'DECRYPT FILES BLUESKY'
    selection_share_eid:
        EventID: 5145
    selection_share_data:
        - RelativeTargetName|endswith: '.bluesky'
        - RelativeTargetName|contains: 'DECRYPT FILES BLUESKY'
    condition: all of selection_access_* or all of selection_share_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
unit42.paloaltonetworks.com
MITRE ATT&CK

Other

detection.emerging-threats
Rule Metadata
Rule ID
eee8311f-a752-44f0-bf2f-6b007db16300
Status
test
Level
high
Type
Emerging Threat
Created
Tue May 23
Author
j4son
Path
rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml
Raw Tags
attack.impactattack.t1486detection.emerging-threats
View on GitHub