Analytics Story: Ransomware
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.
Why it matters
Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Palo Alto Network Threat | pan:threat |
pan:threat |
|
Palo Alto Network Traffic | pan:traffic |
screenconnect_palo_traffic |
|
Powershell Script Block Logging 4104 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
|
Sysmon EventID 1 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 11 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 12 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 13 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 22 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 7 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Windows Event Log Security 1100 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log Security 1102 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4688 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4698 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4700 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4702 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log System 104 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log System 7036 | xmlwineventlog |
XmlWinEventLog:System |
References
- https://web.archive.org/web/20190826231258/https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/
- https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html
Source: GitHub | Version: 1