Try in Splunk Security Cloud

Description

The search looks for file modifications with extensions commonly used by Ransomware

  • Type: Hunting
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-11-09
  • Author: David Dorsey, Splunk
  • ID: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec

Annotations

ATT&CK
ID Technique Tactic
T1485 Data Destruction Impact
Kill Chain Phase
  • Actions on Objectives
NIST
  • PR.PT
  • DE.CM
CIS20
  • CIS 8
CVE
1
2
3
4
5
6
7
8
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)`
| rex field=file_name "(?<file_extension>\.[^\.]+)$" 
| `ransomware_extensions` 
| `common_ransomware_extensions_filter`

Macros

The SPL above uses the following Macros:

Note that common_ransomware_extensions_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

  • _time
  • Filesystem.user
  • Filesystem.dest
  • Filesystem.file_path
  • Filesystem.file_name

How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
This search produces fields (query,query_length,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n1. Label: Name, Field: Name\

  1. \
  2. Label: File Extension, Field: file_extension
    Detailed documentation on how to create a new field within Incident Review may be found here: https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details

Known False Positives

It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.

Associated Analytic story

RBA

Risk Score Impact Confidence Message
90.0 90 100 A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware file extension and should be reviewed immediately.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 4