Anyone Hunting for Bad Rabbits?

For those of you who attended the Bay Area BigFix User Group Conference and remember the Security Round table Discussion Jeremy and I facilitated. Here is an example of reading about “Evil” in the news and how you can turn around and use BigFix to look for “Evil”.

If you haven’t seen the news reports of the “Bad Rabbit” Ransomware yet then here is a good article with some actionable IOC you can use BigFix help you hunt for “Bad Rabbits”

Here is a snippet from my bes file for the properties. This was a quick way to see if you maybe affected. If the file is found and your are NOT already OWNED then you could pull back file creation time to get a time stamp of when you might have been infected.

exists file "C:\windows\infpub.dat"
exists file "C:\windows\cscc.dat"
exists file “C:\windows\dispci.exe”

4 Likes

BigFix is great for ad-hoc hunts like this where there are known indicators of compromise. The exists file statements you provided I’m using as relevance and if the files do exist, then doing a hash comparison on them to check for the published IOCs. An example:
(it = "b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6") of sha256 of file "c:\windows\cscc.dat"

So far the files themselves have only been seen on a test system where I created blank files for relevance validation, though of course the hashes don’t match the Bad Rabbit indicators.

2 Likes

@mlarsen Great Idea. I have since added MD5 and creation date of the file and found a few “bad rabbits”

1 Like

Has anyone given thought or consideration to an IOC -> relevance “compiler” ?