Analytics Story: BlackByte Ransomware

Date: 2023-07-10 ID: b18259ac-0746-45d7-bd1f-81d65274a80b Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more.

Why it matters

BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") OR (All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") AND All_Risk.analyticstories="Cobalt Strike") All_Risk.risk_object_type="system" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Suspicious Driver Loaded Path Windows Service TTP
Suspicious Process File Path Create or Modify System Process TTP
Allow File And Printing Sharing In Firewall Disable or Modify Cloud Firewall TTP
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall TTP
Anomalous usage of 7zip Archive via Utility Anomaly
CMD Echo Pipe - Escalation Windows Command Shell, Windows Service TTP
Cobalt Strike Named Pipes Process Injection TTP
Detect Exchange Web Shell External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Detect PsExec With accepteula Flag SMB/Windows Admin Shares TTP
Detect Regsvr32 Application Control Bypass Regsvr32 TTP
Detect Renamed PSExec Service Execution Hunting
Disabling Firewall with Netsh Disable or Modify Tools Anomaly
DLLHost with no Command Line Arguments with Network Process Injection TTP
Excessive File Deletion In WinDefender Folder Data Destruction TTP
Exchange PowerShell Abuse via SSRF Exploit Public-Facing Application, External Remote Services TTP
Exchange PowerShell Module Usage PowerShell TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Firewall Allowed Program Enable Disable or Modify System Firewall Anomaly
GPUpdate with no Command Line Arguments with Network Process Injection TTP
High Process Termination Frequency Data Encrypted for Impact Anomaly
MS Exchange Mailbox Replication service writing Active Server Pages External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Ping Sleep Batch Command Time Based Evasion Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Resize ShadowStorage volume Inhibit System Recovery TTP
Rundll32 with no Command Line Arguments with Network Rundll32 TTP
SearchProtocolHost with no Command Line with Network Process Injection TTP
Services Escalate Exe Abuse Elevation Control Mechanism TTP
Suspicious DLLHost no Command Line Arguments Process Injection TTP
Suspicious GPUpdate no Command Line Arguments Process Injection TTP
Suspicious microsoft workflow compiler rename Rename System Utilities, Trusted Developer Utilities Proxy Execution Hunting
Suspicious msbuild path Rename System Utilities, MSBuild TTP
Suspicious MSBuild Rename Rename System Utilities, MSBuild Hunting
Suspicious Rundll32 no Command Line Arguments Rundll32 TTP
Suspicious Rundll32 StartW Rundll32 TTP
Suspicious SearchProtocolHost no Command Line Arguments Process Injection TTP
W3WP Spawning Shell Web Shell TTP
Windows Driver Load Non-Standard Path Rootkit, Exploitation for Privilege Escalation TTP
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation Hunting
Windows Excessive Service Stop Attempt Service Stop TTP
Windows Modify Registry EnableLinkedConnections Modify Registry TTP
Windows Modify Registry LongPathsEnabled Modify Registry Anomaly
Windows MSExchange Management Mailbox Cmdlet Usage PowerShell Anomaly
Windows Raw Access To Disk Volume Partition Disk Structure Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe TTP
Windows RDP Connection Successful RDP Hijacking Hunting
Windows Set Account Password Policy To Unlimited Via Net Service Stop Anomaly
Windows Suspicious Child Process Spawned From WebServer Web Shell TTP
Windows Suspicious Driver Loaded Path Windows Service TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Name or Location TTP
Windows Vulnerable Driver Loaded Windows Service Hunting
Windows Exchange Autodiscover SSRF Abuse Exploit Public-Facing Application, External Remote Services TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 26 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 6 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log RemoteConnectionManager 1149 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System
Windows IIS Windows icon Windows IIS:Configuration:Operational IIS:Configuration:Operational

References

Source: GitHub | Version: 1