1 Reply Latest reply: May 16, 2017 5:29 AM by pschnoor . RSS

Cascade + Wannacry dettection

Josefina Mendez

Is Riverbed recommending any type of actions to detect or control Wannacry?

Thanks

  • Re: Cascade + Wannacry dettection
    pschnoor .

    Here are some things you could do with NetProfiler:

    - verify the worm policy is enabled (Behavior Analysis > Policies > Security)

    - create a User Defined Policy to look for any connections from internal to external on tcp/445 (you may need to first run a report to see if there are exceptions to be excluded)

    - create a User Defined Policy to look for any connections from external to internal on tcp/445

    - create a User Defined Policy to look for the presence of any SMBv1 which is a L7 application included with NetShark,AR11 and Steelhead depending on software versions. See Definitions > Applications to see if it is an available application.

    - create a User Defined Policy to look for traffic to 192.168.56.20 or 172.16.99.5.  Of course these could be legitimate IPs, but these are two IPs hardcoded in the malware