mirror of https://gitlab.com/curben/blog
20 lines
895 B
Markdown
20 lines
895 B
Markdown
---
|
|
title: RestartManager abuse
|
|
layout: page
|
|
date: 2025-07-27
|
|
---
|
|
|
|
Description: Ransomware often abuse RestartManager to force applications to release the locks they have on files so it can proceed to encrypt the files.
|
|
Caveat: Adjust the `quantity` appropriately to reduce false positive.
|
|
References: [1](https://blogs.jpcert.or.jp/en/2024/09/windows.html), [2](https://www.crowdstrike.com/en-us/blog/windows-restart-manager-part-1/)
|
|
SPL:
|
|
|
|
```spl
|
|
index="windows" source="XmlWinEventLog:Application" EventCode IN (10000,10001) Name="'Microsoft-Windows-RestartManager'"
|
|
| eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S %z"), objectSid=replace(UserID, "'", "")
|
|
| stats earliest(Time) AS first_occur, count BY index, host, objectSid
|
|
| lookup ad_users objectSid OUTPUT sAMAccountName AS Username, displayName AS Name
|
|
| table first_occur, index, host, objectSid, Username, Name
|
|
| sort -first_occur
|
|
```
|