Analyzing Rhysida Ransomware Intrusion
Conclusion
Threat Hunting
Type: ("Process Creation") AND Source.Process.User: ("Local System") AND
Target.Process.File.Name: ("powershell.exe" or "powershell_ise.exe" or
"cmd.exe")
Type:"Socket Connect" AND Source.Process.Name: "powershell.exe" AND
RemotePort:443 AND RemoteIP:(23.52.156[.]13 OR 104.91.97[.]237)
Type:"Socket Connect" AND Source.Process.Name: "rundll32.exe" AND
RemotePort:443 AND RemoteIP:(23.108.57[.]83)
Type: ("File Write") AND Source.Process.CommandLine: ("procdump.exe -accepteula -ma lsass.exe")