Common Ransomware Extensions
Description
The search looks for file modifications with extensions commonly used by Ransomware
- Type: Hunting
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2020-11-09
- Author: David Dorsey, Splunk
- ID: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec
Annotations
ATT&CK
ID | Technique | Tactic |
---|---|---|
T1485 | Data Destruction | Impact |
Kill Chain Phase
- Actions on Objectives
NIST
- PR.PT
- DE.CM
CIS20
- CIS 8
CVE
Search
1
2
3
4
5
6
7
8
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| rex field=file_name "(?<file_extension>\.[^\.]+)$"
| `ransomware_extensions`
| `common_ransomware_extensions_filter`
Macros
The SPL above uses the following Macros:
Note that common_ransomware_extensions_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required field
- _time
- Filesystem.user
- Filesystem.dest
- Filesystem.file_path
- Filesystem.file_name
How To Implement
You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
This search produces fields (query
,query_length
,count
) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n1. Label: Name, Field: Name\
- \
- Label: File Extension, Field: file_extension
Detailed documentation on how to create a new field within Incident Review may be found here:https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details
Known False Positives
It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.
Associated Analytic story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
90.0 | 90 | 100 | A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware file extension and should be reviewed immediately. |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 4