FREE DOWNLOAD: Top 10 CYBERDUDEBIVASH Wazuh Ransomware Rules

Author: CyberDudeBivash

Powered by: CyberDudeBivash Brand | cyberdudebivash.com

Related: cyberbivash.blogspot.com

FREE DOWNLOAD: Top 10 CYBERDUDEBIVASH Wazuh Ransomware Rules

Ready to deploy on your Wazuh Manager. Includes high-signal detections for vssadmin/wbadmin, ransom-note drops, mass-encryption bursts, encoded PowerShell, Defender exclusions, log clearing, LOLBins, and more.

• ZIP pack (recommended): Download
• Just the XML: cdb_wazuh_ransomware_rules.xml
• README (install & test steps): README.txt

What’s inside (10 rules, IDs 880100–880109)

1. vssadmin delete shadows → Inhibit System Recovery (T1490)
2. wbadmin delete (catalog/systemstate) → T1490
3. bcdedit recovery/safeboot toggles → T1490
4. wevtutil cl (clear logs) → T1070.001
5. PowerShell -enc/--encodedcommand → T1059.001
6. Ransom notes in user dirs (Sysmon Event 11) → T1486
7. Mass encryption burst (extensions: .lock, .encrypted, etc.) with frequency/timeframe heuristic → T1486
8. wmic shadowcopy delete → T1490
9. LOLBin abuse (mshta/rundll32 with http/javascript) → T1218
10. Add-MpPreference exclusions (defense evasion) → T1562.001

Install (Manager)

• Option A (new file): copy cdb_wazuh_ransomware_rules.xml to /var/ossec/etc/rules.d/, set perms, then systemctl restart wazuh-manager.
• Option B (append): paste the rules inside <group>...</group> in /var/ossec/etc/rules/local_rules.xml and restart.

• Forward Sysmon events (Event ID 1=ProcessCreate, 11=FileCreate) to Wazuh.
• Use a sensible Sysmon config (e.g., SwiftOnSecurity baseline) and tune FIM for user data folders.

Prereqs

Safe quick tests

• Ransom note drop (test VM):
  echo test > "%USERPROFILE%\Desktop\README_RECOVER_FILES.txt"
• Encoded PowerShell:
  powershell -enc UwBFAFgA
• Shadow copies:
  vssadmin.exe delete shadows /all /quiet (admin shell in lab only)