Analytics Story: Prestige Ransomware
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware
Why it matters
This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.
Detections
Name ▲▼ |
Technique ▲▼ |
Type ▲▼ |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
Common Ransomware Extensions |
Data Destruction |
TTP |
Create or delete windows shares using net exe |
Network Share Connection Removal |
TTP |
Deleting Shadow Copies |
Inhibit System Recovery |
TTP |
Dump LSASS via comsvcs DLL |
LSASS Memory |
TTP |
Excessive Usage Of Cacls App |
File and Directory Permissions Modification |
Anomaly |
Executable File Written in Administrative SMB Share |
SMB/Windows Admin Shares |
TTP |
Impacket Lateral Movement Commandline Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement smbexec CommandLine Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement WMIExec Commandline Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Network Connection Discovery With Arp |
System Network Connections Discovery |
Hunting |
Network Connection Discovery With Netstat |
System Network Connections Discovery |
Hunting |
Network Discovery Using Route Windows App |
Internet Connection Discovery |
Hunting |
Ntdsutil Export NTDS |
NTDS |
TTP |
Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task |
TTP |
Schtasks scheduling job on remote system |
Scheduled Task |
TTP |
WBAdmin Delete System Backups |
Inhibit System Recovery |
TTP |
Windows Cached Domain Credentials Reg Query |
Cached Domain Credentials |
Anomaly |
Windows Change Default File Association For No File Ext |
Change Default File Association |
TTP |
Windows ClipBoard Data via Get-ClipBoard |
Clipboard Data |
Anomaly |
Windows Credentials from Password Stores Query |
Credentials from Password Stores |
Anomaly |
Windows Credentials in Registry Reg Query |
Credentials in Registry |
Anomaly |
Windows Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
Windows Group Discovery Via Net |
Local Groups, Domain Groups |
Hunting |
Windows Indirect Command Execution Via Series Of Forfiles |
Indirect Command Execution |
Anomaly |
Windows Information Discovery Fsutil |
System Information Discovery |
Anomaly |
Windows Network Connection Discovery Via Net |
System Network Connections Discovery |
Hunting |
Windows New Default File Association Value Set |
Change Default File Association |
Hunting |
Windows Office Product Spawned Rundll32 With No DLL |
Spearphishing Attachment |
TTP |
Windows Password Managers Discovery |
Password Managers |
Anomaly |
Windows Private Keys Discovery |
Private Keys |
Anomaly |
Windows Registry Entries Exported Via Reg |
Query Registry |
Hunting |
Windows Registry Entries Restored Via Reg |
Query Registry |
Hunting |
Windows Security Support Provider Reg Query |
Security Support Provider |
Anomaly |
Windows Service Stop Attempt |
Service Stop |
Hunting |
Windows Steal or Forge Kerberos Tickets Klist |
Steal or Forge Kerberos Tickets |
Hunting |
Windows Suspicious Process File Path |
Create or Modify System Process, Match Legitimate Name or Location |
TTP |
Windows System Network Config Discovery Display DNS |
System Network Configuration Discovery |
Anomaly |
Windows System Network Connections Discovery Netsh |
System Network Connections Discovery |
Anomaly |
Windows System User Discovery Via Quser |
System Owner/User Discovery |
Hunting |
Windows WMI Process And Service List |
Windows Management Instrumentation |
Anomaly |
WinEvent Scheduled Task Created Within Public Path |
Scheduled Task |
TTP |
WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
Data Sources
References
Source: GitHub | Version: 1