This bundle detects WannaCry by looking for the specific EternalBlue exploit used to propagate itself. It shows infected victims and attackers. It also shows hosts that are looking up the killswitch domains.
- Download the bundle on this page.
- Log into the ExtraHop Web UI and complete the following procedures, which are available in the ExtraHop Web UI Guide ExtraHop Web UI Guide.
If you don't see any charts, it might mean that you have no infections. You can to go to the killswitch domain to make sure the bundle is showing hosts that look up the domain.