Analytics Story: Ransomware

Date: 2020-02-04 ID: cf309d0d-d4aa-4fbb-963d-1e79febd3756 Author: David Dorsey, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.

Why it matters

Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Known Services Killed by Ransomware Inhibit System Recovery TTP
Suspicious Event Log Service Behavior Clear Windows Event Logs Hunting
7zip CommandLine To SMB Share Path Archive via Utility Hunting
Allow File And Printing Sharing In Firewall Disable or Modify Cloud Firewall TTP
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall TTP
Allow Operation with Consent Admin Abuse Elevation Control Mechanism TTP
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
Clear Unallocated Sector Using Cipher App File Deletion TTP
CMLUA Or CMSTPLUA UAC Bypass CMSTP TTP
Common Ransomware Extensions Data Destruction TTP
Common Ransomware Notes Data Destruction Hunting
Conti Common Exec parameter User Execution TTP
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect Remote Access Software Usage File Remote Access Software Anomaly
Detect Remote Access Software Usage FileInfo Remote Access Software Anomaly
Detect Remote Access Software Usage Process Remote Access Software Anomaly
Detect Remote Access Software Usage Registry Remote Access Software Anomaly
Detect Renamed RClone Automated Exfiltration Hunting
Detect SharpHound Command-Line Arguments Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Detect SharpHound File Modifications Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Detect SharpHound Usage Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Disable AMSI Through Registry Disable or Modify Tools TTP
Disable ETW Through Registry Disable or Modify Tools TTP
Disable Logs Using WevtUtil Clear Windows Event Logs TTP
Disable Windows Behavior Monitoring Disable or Modify Tools TTP
Excessive Usage Of SC Service Utility Service Execution Anomaly
Execute Javascript With Jscript COM CLSID Visual Basic TTP
Fsutil Zeroing File Indicator Removal TTP
ICACLS Grant Command File and Directory Permissions Modification Anomaly
Modification Of Wallpaper Defacement TTP
MS Exchange Mailbox Replication service writing Active Server Pages External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Msmpeng Application DLL Side Loading DLL Side-Loading TTP
Permission Modification using Takeown App File and Directory Permissions Modification Anomaly
Powershell Disable Security Monitoring Disable or Modify Tools TTP
Powershell Enable SMB1Protocol Feature Indicator Removal from Tools TTP
Powershell Execute COM Object PowerShell, Component Object Model Hijacking TTP
Prevent Automatic Repair Mode using Bcdedit Inhibit System Recovery TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recursive Delete of Directory In Batch CMD File Deletion TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Revil Common Exec Parameter User Execution TTP
Revil Registry Entry Modify Registry TTP
Rundll32 LockWorkStation Rundll32 Anomaly
Schtasks used for forcing a reboot Scheduled Task TTP
Spike in File Writes None Anomaly
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
Suspicious wevtutil Usage Clear Windows Event Logs TTP
System Processes Run From Unexpected Locations Rename System Utilities Anomaly
UAC Bypass With Colorui COM Object CMSTP TTP
Uninstall App Using MsiExec Msiexec TTP
Unusually Long Command Line None Anomaly
Unusually Long Command Line - MLTK None Anomaly
USN Journal Deletion Indicator Removal TTP
WBAdmin Delete System Backups Inhibit System Recovery TTP
Wbemprox COM Object Execution CMSTP TTP
Windows Disable Change Password Through Registry Modify Registry Anomaly
Windows Disable Lock Workstation Feature Through Registry Modify Registry Anomaly
Windows Disable LogOff Button Through Registry Modify Registry Anomaly
Windows Disable Memory Crash Dump Data Destruction TTP
Windows Disable Shutdown Button Through Registry Modify Registry Anomaly
Windows Disable Windows Group Policy Features Through Registry Modify Registry Anomaly
Windows DiskCryptor Usage Data Encrypted for Impact Hunting
Windows DotNet Binary in Non Standard Path Rename System Utilities, InstallUtil TTP
Windows Event Log Cleared Clear Windows Event Logs TTP
Windows Event Logging Service Has Shutdown Clear Windows Event Logs Hunting
Windows Excessive Service Stop Attempt Service Stop TTP
Windows Excessive Usage Of Net App Account Access Removal Anomaly
Windows Hide Notification Features Through Registry Modify Registry Anomaly
Windows InstallUtil in Non Standard Path Rename System Utilities, InstallUtil TTP
Windows NirSoft AdvancedRun Tool TTP
Windows Process Execution in Temp Dir Create or Modify System Process, Match Legitimate Name or Location Anomaly
Windows Raccine Scheduled Task Deletion Disable or Modify Tools TTP
Windows Registry Modification for Safe Mode Persistence Registry Run Keys / Startup Folder TTP
Windows Remote Access Software Hunt Remote Access Software Hunting
Windows Scheduled Task with Suspicious Command Scheduled Task TTP
Windows Scheduled Task with Suspicious Name Scheduled Task TTP
Windows Security And Backup Services Stop Inhibit System Recovery TTP
Windows Set Account Password Policy To Unlimited Via Net Service Stop Anomaly
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Detect Remote Access Software Usage DNS Remote Access Software Anomaly
Detect Remote Access Software Usage Traffic Remote Access Software Anomaly
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
SMB Traffic Spike SMB/Windows Admin Shares Anomaly
SMB Traffic Spike - MLTK SMB/Windows Admin Shares Anomaly
TOR Traffic Multi-hop Proxy TTP
Detect Remote Access Software Usage URL Remote Access Software Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Palo Alto Network Threat Network icon Network pan:threat pan:threat
Palo Alto Network Traffic Network icon Network pan:traffic screenconnect_palo_traffic
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 1100 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 1102 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4700 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4702 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 104 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7036 Windows icon Windows xmlwineventlog XmlWinEventLog:System
Zeek Conn N/A bro:conn:json bro:conn:json

References

Source: GitHub | Version: 1