Samsam Test File Write

Try in Splunk Security Cloud

Description

The search looks for a file named “test.txt” written to the windows system directory tree, which is consistent with Samsam propagation.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint- Datasource: Splunk Add-on for Sysmon
• Last Updated: 2018-12-14
• Author: Rico Valdez, Splunk
• ID: 493a879d-519d-428f-8f57-a06a0fdc107e

Annotations

ATT&CK

ID	Technique	Tactic
T1486	Data Encrypted for Impact	Impact

Kill Chain Phase

• Delivery

NIST

• PR.PT
• DE.CM

CIS20

• CIS 8

CVE

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\windows\\system32\\test.txt by Filesystem.file_path 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `samsam_test_file_write_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• security_content_summariesonly

Note that samsam_test_file_write_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

• _time
• Filesystem.user
• Filesystem.dest
• Filesystem.file_name
• Filesystem.file_path

How To Implement

You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Known False Positives

No false positives have been identified.

Associated Analytic story

• SamSam Ransomware

RBA

Risk Score	Impact	Confidence	Message
12.0	60	20	A samsam ransomware test file creation in $file_path$ in host $dest$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-sysmon.log

source | version: 1