As a priority prevention action, update any systems with
MS17-010, if they don't already contain the update.
Trellix IPS coverage for Petya Ransomware
Existing signatures:
- 0x43c0bd00- NETBIOS-SS: MS17-010 SMB Remote Code Execution (External Tools and WannaCry Ransomware)
- 0x43c0b800- NETBIOS-SS: Windows SMBv1 identical MID and FID type confusion vulnerability (CVE-2017-0143)
- 0x43c0b400- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144)
- 0x43c0b500- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145)
- 0x43c0b300- NETBIOS-SS: Microsoft Windows SMB Out of bound Write Vulnerability (CVE-2017-0146)
- 0x43c0b900- NETBIOS-SS: Windows SMBv1 information disclosure vulnerability (CVE-2017-0147)
- 0x451e3300- HTTP: Microsoft Office OLE Arbitrary Code Execution Vulnerability (CVE-2017-0199)
Access Protection rules for Endpoint Security (ENS)
The following Access Protection rules for ENS can help combat the malware. We've updated the recommended Access Protection rules to more effectively target this specific variant of
Petya.
NOTE: These Access Protection rules don't circumvent the need to implement the
Extra.DAT. The rules are intended to help in combating the malware. But, the rules don't prevent the malware payload from being created or executed on a system. These two Access Protection rules prevent
rundll32.exe from starting any instances of
cmd.exe, and also prevent creation of the Microsoft
TechNet PSExec utility. These rules don't prevent downloading or saving of the original file name for
PSExec. So, an administrator can still use this utility as needed.
ENS Access Protection Rules
Create a rule with an inclusion status of "Include" using
rundll32.exe for the File name or Path.
Create a subrule with a type of "files," and for a target include
cmd.exe.
Select the action to prevent execution.
Create a rule with an inclusion status of "Include" using * for the File name or Path.
Create a subrule with a type of "files," and for a target include
**\PSEXESVC.EXE.
Select the action to prevent creation.
Process to include: *
Process to exclude:
File/Folder to block:
**\PSEXESVC.EXE
Actions: Block creation
NOTE: This rule prevents any process from creating the
PSExec remote service. Preventing this file creation can help with preventing the replication of
PSExec, a component used in replication of the malware payload. This rule doesn't prevent an administrator from saving any new copies of
PSExec to systems where this rule is applied. But, the rule prevents
PSEXESVC.EXE from being created on the target system, thus preventing the use of
PSExec - whether it's used maliciously or for normal remote administrative purposes.