Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Bad Rabbit

 

Use the JSA Bad Rabbit Content Extension to detect and track the Bad Rabbit ransomware.

JSA Bad Rabbit Content Extension V1.0.1

Saved searches are now shared by default. Saved searches and building blocks that weren't in groups are added to groups. Updated custom property descriptions.

JSA Bad Rabbit Content Extension V1.0.0

The following table shows the custom properties in JSA Bad Rabbit Content Extension V1.0.0.

Table 1: Custom Properties in JSA Bad Rabbit Content Extension V1.0.0

Name

Optimized

Capture Group

Regex

File_Hash

Yes

1

IBM\(HTTP_FILES_CKSUM\)=0x([^;]+);

File_Name

Yes

1

IBM\(CONTENT_FILE_NAME\)=([^;]+);

HTTP Host

Yes

1

IBM\(HTTP_HOST\)=([^;]+);

Host\:\s(.+?)\x0d\x0a

The following table shows the rules and building blocks in JSA Bad Rabbit Content Extension V1.0.0.

Table 2: Rules and Building Blocks in JSA Bad Rabbit Content Extension V1.0.0

Type

Name

Description

Building Block

BadRabbit Event Host Name

References host names.

Building Block

BB:BadRabbit Event File Hash

References file hashes.

Building Block

BB:BadRabbit Event File Name

References file names.

Building Block

BB:BadRabbit IP Found

References IP addresses.

Rule

BadRabbit Detected In Real Time

Detects events or flows that are detected by the local system and when a flow or an event matches any of the following building blocks:

  • BB:BadRabbit Event File Hash

  • BB:BadRabbit Event File Name

  • BB:BadRabbit QNI File Hash

  • BB:BadRabbit QNI File Name

  • BB:BadRabbit QNI Host

The BadRabbit Event Host Name and BB:BadRabbit IP Found building blocks are available, but are not included in the rule by default. This exclusion is intentional because the host name and IP building blocks can generate false positives with multi-hosted domains. The host name and IP reference sets are for customers who are not worried about these false positives and who might want to investigate communication from known host names and IP addresses that are distributing attack vectors. You can also use the saved searches that are added to check if any of these host names and IP addresses exist in your organization.

The following reference sets are included in JSA Bad Rabbit Content Extension V1.0.0:

  • BadRabbit_FileHash

  • BadRabbit_FileName

  • BadRabbit_Hostname

The following table shows the saved searches in JSA Bad Rabbit Content Extension V1.0.0.

Table 3: Saved Searches in JSA Bad Rabbit Content Extension V1.0.0

Name

Description

BadRabbit Event “DestinationIP” Last 24 Hours

Event search added for match on event destination IP address.

BadRabbit Event “FileHash” Last 24 Hours

Event search added for match on event file hashes.

BadRabbit Event “Hostname” Last 24 Hours

Event search added for match on host name.

BadRabbit Event “SourceIP” Last 24 Hours

Event search added for match on event source IP address.

BadRabbit Flows “DestinationIP” Last 24 Hours

Flow search added for match on flows destination IP address.

BadRabbit Flows “SourceIP” Last 24 Hours

Flow search added for match on event source IP address.