Analytics Story: BlackByte Ransomware

Date: 2023-07-10 ID: b18259ac-0746-45d7-bd1f-81d65274a80b Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more.

Why it matters

BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") OR (All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") AND All_Risk.analyticstories="Cobalt Strike") All_Risk.risk_object_type="system" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Allow File And Printing Sharing In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Anomalous usage of 7zip Archive via Utility, Archive Collected Data Anomaly
CMD Echo Pipe - Escalation Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process TTP
Cobalt Strike Named Pipes Process Injection TTP
Detect Exchange Web Shell Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services TTP
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect Regsvr32 Application Control Bypass System Binary Proxy Execution, Regsvr32 TTP
Detect Renamed PSExec System Services, Service Execution Hunting
Detect Webshell Exploit Behavior Server Software Component, Web Shell TTP
Disabling Firewall with Netsh Disable or Modify Tools, Impair Defenses Anomaly
DLLHost with no Command Line Arguments with Network Process Injection TTP
Excessive File Deletion In WinDefender Folder Data Destruction TTP
Excessive Service Stop Attempt Service Stop Anomaly
Exchange PowerShell Abuse via SSRF Exploit Public-Facing Application, External Remote Services TTP
Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Firewall Allowed Program Enable Disable or Modify System Firewall, Impair Defenses Anomaly
GPUpdate with no Command Line Arguments with Network Process Injection TTP
High Process Termination Frequency Data Encrypted for Impact Anomaly
MS Exchange Mailbox Replication service writing Active Server Pages Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services TTP
Ping Sleep Batch Command Virtualization/Sandbox Evasion, Time Based Evasion Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Resize ShadowStorage volume Inhibit System Recovery TTP
Rundll32 with no Command Line Arguments with Network System Binary Proxy Execution, Rundll32 TTP
SearchProtocolHost with no Command Line with Network Process Injection TTP
Services Escalate Exe Abuse Elevation Control Mechanism TTP
Suspicious DLLHost no Command Line Arguments Process Injection TTP
Suspicious Driver Loaded Path Windows Service, Create or Modify System Process TTP
Suspicious GPUpdate no Command Line Arguments Process Injection TTP
Suspicious microsoft workflow compiler rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Hunting
Suspicious msbuild path Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild TTP
Suspicious MSBuild Rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Hunting
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Rundll32 no Command Line Arguments System Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 StartW System Binary Proxy Execution, Rundll32 TTP
Suspicious SearchProtocolHost no Command Line Arguments Process Injection TTP
W3WP Spawning Shell Server Software Component, Web Shell TTP
Windows Driver Load Non-Standard Path Rootkit, Exploitation for Privilege Escalation TTP
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation Hunting
Windows Modify Registry EnableLinkedConnections Modify Registry TTP
Windows Modify Registry LongPathsEnabled Modify Registry Anomaly
Windows MSExchange Management Mailbox Cmdlet Usage Command and Scripting Interpreter, PowerShell Anomaly
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP
Windows RDP Connection Successful RDP Hijacking Hunting
Windows Vulnerable Driver Loaded Windows Service Hunting
Windows Exchange Autodiscover SSRF Abuse Exploit Public-Facing Application, External Remote Services TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 6 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log RemoteConnectionManager 1149 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System
Windows IIS Windows icon Windows IIS:Configuration:Operational IIS:Configuration:Operational

References

Source: GitHub | Version: 1