Analytics Story: Prestige Ransomware

Date: 2022-11-30 ID: 8b8d8506-b931-450c-b794-f24184ca1deb Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware

Why it matters

This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Change Default File Association Change Default File Association, Event Triggered Execution TTP
Common Ransomware Extensions Data Destruction Hunting
Create or delete windows shares using net exe Indicator Removal, Network Share Connection Removal TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Domain Group Discovery With Net Permission Groups Discovery, Domain Groups Hunting
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Excessive Usage Of Cacls App File and Directory Permissions Modification Anomaly
Excessive Usage Of Net App Account Access Removal Anomaly
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares TTP
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement smbexec CommandLine Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Net Localgroup Discovery Permission Groups Discovery, Local Groups Hunting
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Network Connection Discovery With Net System Network Connections Discovery Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Network Discovery Using Route Windows App System Network Configuration Discovery, Internet Connection Discovery Hunting
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job TTP
Suspicious Process File Path Create or Modify System Process TTP
WBAdmin Delete System Backups Inhibit System Recovery TTP
Windows Cached Domain Credentials Reg Query Cached Domain Credentials, OS Credential Dumping Anomaly
Windows Change Default File Association For No File Ext Change Default File Association, Event Triggered Execution TTP
Windows ClipBoard Data via Get-ClipBoard Clipboard Data Anomaly
Windows Credentials from Password Stores Query Credentials from Password Stores Anomaly
Windows Credentials in Registry Reg Query Credentials in Registry, Unsecured Credentials Anomaly
Windows Indirect Command Execution Via Series Of Forfiles Indirect Command Execution Anomaly
Windows Information Discovery Fsutil System Information Discovery Anomaly
Windows Modify Registry Reg Restore Query Registry Hunting
Windows Password Managers Discovery Password Managers Anomaly
Windows Private Keys Discovery Private Keys, Unsecured Credentials Anomaly
Windows Query Registry Reg Save Query Registry Hunting
Windows Security Support Provider Reg Query Security Support Provider, Boot or Logon Autostart Execution Anomaly
Windows Service Stop Via Net and SC Application Service Stop Anomaly
Windows Steal or Forge Kerberos Tickets Klist Steal or Forge Kerberos Tickets Hunting
Windows System Network Config Discovery Display DNS System Network Configuration Discovery Anomaly
Windows System Network Connections Discovery Netsh System Network Connections Discovery Anomaly
Windows System User Discovery Via Quser System Owner/User Discovery Hunting
Windows WMI Process And Service List Windows Management Instrumentation Anomaly
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational

References

Source: GitHub | Version: 1