By Christian Have, VP Products & Innovation, May 13, 2017
Update: Read our latest blog post on our newly released WannaCry Application
As WannaCry has wrecked havoc over the weekend, many organizations will face the impact of the malware during the beginning of the week. WannaCry is a ransomware attack that exploits the MS17-010 vulnerability.
After exploiting the vulnerability the malware attempts to connect to a domain:
The malware expects the connection to fail and then proceeds to install and infect the system. As such LogPoint users can quickly inspect their networks by searching for the domain name and identifying machines that are infected.
A malware researcher has registered the domain, so now the malware does not install, but keep in mind that the systems are still vulnerable to the Microsoft Windows vulnerability. If a connection is seen to this domain, it does indicate the machine was compromised.
Queries to detect the infection:
url="http://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” | chart count() by source_address
domain=“iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” | chart count() by source_address
Typically more malware examples come along, to infect these vulnerabilities, LogPoint will actively monitor the research and publications and provide updates and queries as more research is carried out.
action=“CHANGE FILE” file_path=“C:\Windows\System32\user32.dll” | chart count() by device_name
Both LogPoint and LogPoint Free can easily detect WannaCry. Contact us at email@example.com
With LogPoint, you will discover a full enterprise SIEM solution.
LogPoint is EAL 3+ certified and the solution is tailored to solve the specific security management challenges of your business - whether the goal is compliance, forensics or operational insight.
And the best part..? We have the most predictable licensing model in the industry.