Samsam Test File Write
Description
The search looks for a file named “test.txt” written to the windows system directory tree, which is consistent with Samsam propagation.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint- Datasource: Splunk Add-on for Sysmon
- Last Updated: 2018-12-14
- Author: Rico Valdez, Splunk
- ID: 493a879d-519d-428f-8f57-a06a0fdc107e
Annotations
ATT&CK
ID | Technique | Tactic |
---|---|---|
T1486 | Data Encrypted for Impact | Impact |
Kill Chain Phase
- Delivery
NIST
- PR.PT
- DE.CM
CIS20
- CIS 8
CVE
Search
1
2
3
4
5
6
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\windows\\system32\\test.txt by Filesystem.file_path
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `samsam_test_file_write_filter`
Macros
The SPL above uses the following Macros:
Note that samsam_test_file_write_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required field
- _time
- Filesystem.user
- Filesystem.dest
- Filesystem.file_name
- Filesystem.file_path
How To Implement
You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
Known False Positives
No false positives have been identified.
Associated Analytic story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
12.0 | 60 | 20 | A samsam ransomware test file creation in $file_path$ in host $dest$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1