From e246bfa79ccc3ff7e258768287a19a14bfc42bf1 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 17 Oct 2020 23:06:52 +0200
Subject: [PATCH] feat: sigma rule for raccine

---
 sigma/win_raccine_block.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 sigma/win_raccine_block.yml

diff --git a/sigma/win_raccine_block.yml b/sigma/win_raccine_block.yml
new file mode 100644
index 0000000..fd530bb
--- /dev/null
+++ b/sigma/win_raccine_block.yml
@@ -0,0 +1,22 @@
+title: Raccine Blocked Malicious Activity
+id: ce1ae413-3a83-4424-a61d-25827480c173
+description: Detects Raccine blocking the execution of an executable that has been invoked with parameters that are on the blocklist
+date: 2020/10/17
+author: Florian Roth, John Lambert
+references:
+    - https://github.com/Neo23x0/Raccine
+tags:
+    - attack.execution
+    - attack.ta0002
+    - attack.t1059.003
+logsource:
+    product: windows
+    service: application
+detection:
+    selection:
+        Source: Raccine
+        EventID: 2
+    condition: selection
+falsepositives:
+    - Backup software triggering the blocks by accessing the volume shadow copies
+level: high
\ No newline at end of file