Analytics Story: DarkSide Ransomware

Date: 2021-05-12 ID: 507edc74-13d5-4339-878e-b9114ded1f35 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware

Why it matters

This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer TTP
CMLUA Or CMSTPLUA UAC Bypass System Binary Proxy Execution, CMSTP TTP
Cobalt Strike Named Pipes Process Injection TTP
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect Renamed PSExec System Services, Service Execution Hunting
Detect Renamed RClone Automated Exfiltration Hunting
Extraction of Registry Hives Security Account Manager, OS Credential Dumping TTP
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
SLUI RunAs Elevated Bypass User Account Control, Abuse Elevation Control Mechanism TTP
SLUI Spawning a Process Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Windows Possible Credential Dumping LSASS Memory, OS Credential Dumping TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1