Samsam Test File Write
Description
The search looks for a file named "test.txt" written to the windows system directory tree, which is consistent with Samsam propagation.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2018-12-14
- Author: Rico Valdez, Splunk
- ID: 493a879d-519d-428f-8f57-a06a0fdc107e
ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1486 | Data Encrypted for Impact | Impact |
Search
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\windows\\system32\\test.txt by Filesystem.file_path
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `samsam_test_file_write_filter`
Associated Analytic Story
How To Implement
You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
Required field
- _time
- Filesystem.user
- Filesystem.dest
- Filesystem.file_name
- Filesystem.file_path
Kill Chain Phase
- Delivery
Known False Positives
No false positives have been identified.
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 12.0 | 60 | 20 | A samsam ransomware test file creation in $file_path$ in host $dest$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1