Try in Splunk Security Cloud

Description

The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-03-12
  • Author: Teoderick Contreras
  • ID: eff7919a-8330-11eb-83f8-acde48001122

Annotations

ATT&CK
ID Technique Tactic
T1486 Data Encrypted for Impact Impact
Kill Chain Phase
  • Exploitation
NIST
CIS20
CVE
1
2
3
4
5
6
7
`sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") 
|bin _time span=10s 
| stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name 
| where unique_readme_path_count >= 15 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `ransomware_notes_bulk_creation_filter`

Macros

The SPL above uses the following Macros:

Note that ransomware_notes_bulk_creation_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

  • EventCode
  • file_name
  • _time
  • TargetFilename
  • Computer
  • Image
  • user

How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Known False Positives

unknown

Associated Analytic story

RBA

Risk Score Impact Confidence Message
81.0 90 90 A high frequency file creation of $file_name$ in different file path in host $Computer$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1