interlock_ransomware #3621
Merged
interlock_ransomware #3621
+1,061
−787
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…rity_content into interlock_ransomware
patel-bhavin
approved these changes
Jul 31, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Tagged
Windows PowerShell FakeCAPTCHA Clipboard Execution
Windows Multi hop Proxy TOR Website Query
TOR Traffic
Windows Boot or Logon Autostart Execution In Startup Folder
System Information Discovery Detection
Network Connection Discovery With Arp
Remote Desktop Network Traffic
Windows RDPClient Connection Sequence Events
Windows RDP File Execution
Windows RDP Connection Successful
Enable RDP In Other Port Number
Cisco Secure Firewall - Remote Access Software Usage Traffic
Detect Remote Access Software Usage DNS
Detect Remote Access Software Usage Traffic
Detect Remote Access Software Usage URL
Detect Remote Access Software Usage File
Detect Remote Access Software Usage Process
Detect Remote Access Software Usage FileInfo
Registry Keys Used For Persistence
Windows AD ServicePrincipalName Added To Domain Account
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
Windows AD Short Lived Domain Account ServicePrincipalName
Windows PowerView SPN Discovery
Disabled Kerberos Pre-Authentication Discovery With PowerView
Domain Account Discovery with Wmic
Ransomware Notes bulk creation
Windows Suspicious Process File Path
Windows Suspicious Driver Loaded Path
Executables Or Script Creation In Suspicious Path
High Process Termination Frequency
PowerShell Domain Enumeration
PowerShell 4104 Hunting
Windows High File Deletion Frequency
windows_unsigned_dll_side_loading_in_same_process_path.yml
lookups
common_ransomware_extensions.yml
common_ransomware_notes.yml
ansomware_extensions_lookup.csv
ransomware_notes_lookup.csv
new detection
Windows Rundll32 Load DLL in Temp Dir
new story
What does this PR have in it? Screenshots are worth 1000 words 😄
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclatureNotes For Submitters and Reviewers
buildCI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.