Common Ransomware Extensions

Try in Splunk Security Cloud

Description

The search looks for file modifications with extensions commonly used by Ransomware

• Type: Hunting
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2020-11-09
• Author: David Dorsey, Splunk
• ID: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec

Annotations

ATT&CK

ID	Technique	Tactic
T1485	Data Destruction	Impact

Kill Chain Phase

• Actions on Objectives

NIST

• PR.PT
• DE.CM

CIS20

• CIS 8

CVE

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)`
| rex field=file_name "(?<file_extension>\.[^\.]+)$" 
| `ransomware_extensions` 
| `common_ransomware_extensions_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• security_content_summariesonly
• ransomware_extensions

Note that common_ransomware_extensions_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

• _time
• Filesystem.user
• Filesystem.dest
• Filesystem.file_path
• Filesystem.file_name

How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
This search produces fields (query,query_length,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n1. Label: Name, Field: Name\

1. \
2. Label: File Extension, Field: file_extension
   Detailed documentation on how to create a new field within Incident Review may be found here: https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details

Known False Positives

It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.

Associated Analytic story

• SamSam Ransomware
• Ryuk Ransomware
• Ransomware
• Clop Ransomware

RBA

Risk Score	Impact	Confidence	Message
90.0	90	100	A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware file extension and should be reviewed immediately.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_extensions/windows-sysmon.log

source | version: 4