Analytics Story: Prestige Ransomware
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware
Why it matters
This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.
Detections
Name ▲▼ |
Technique ▲▼ |
Type ▲▼ |
Change Default File Association |
Change Default File Association, Event Triggered Execution |
TTP |
Common Ransomware Extensions |
Data Destruction |
Hunting |
Create or delete windows shares using net exe |
Indicator Removal, Network Share Connection Removal |
TTP |
Deleting Shadow Copies |
Inhibit System Recovery |
TTP |
Domain Group Discovery With Net |
Permission Groups Discovery, Domain Groups |
Hunting |
Dump LSASS via comsvcs DLL |
LSASS Memory, OS Credential Dumping |
TTP |
Excessive Usage Of Cacls App |
File and Directory Permissions Modification |
Anomaly |
Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
TTP |
Impacket Lateral Movement Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Net Localgroup Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
Network Connection Discovery With Arp |
System Network Connections Discovery |
Hunting |
Network Connection Discovery With Net |
System Network Connections Discovery |
Hunting |
Network Connection Discovery With Netstat |
System Network Connections Discovery |
Hunting |
Network Discovery Using Route Windows App |
System Network Configuration Discovery, Internet Connection Discovery |
Hunting |
Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
TTP |
Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
Schtasks scheduling job on remote system |
Scheduled Task, Scheduled Task/Job |
TTP |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
WBAdmin Delete System Backups |
Inhibit System Recovery |
TTP |
Windows Cached Domain Credentials Reg Query |
Cached Domain Credentials, OS Credential Dumping |
Anomaly |
Windows Change Default File Association For No File Ext |
Change Default File Association, Event Triggered Execution |
TTP |
Windows ClipBoard Data via Get-ClipBoard |
Clipboard Data |
Anomaly |
Windows Credentials from Password Stores Query |
Credentials from Password Stores |
Anomaly |
Windows Credentials in Registry Reg Query |
Credentials in Registry, Unsecured Credentials |
Anomaly |
Windows Indirect Command Execution Via Series Of Forfiles |
Indirect Command Execution |
Anomaly |
Windows Information Discovery Fsutil |
System Information Discovery |
Anomaly |
Windows Modify Registry Reg Restore |
Query Registry |
Hunting |
Windows Password Managers Discovery |
Password Managers |
Anomaly |
Windows Private Keys Discovery |
Private Keys, Unsecured Credentials |
Anomaly |
Windows Query Registry Reg Save |
Query Registry |
Hunting |
Windows Security Support Provider Reg Query |
Security Support Provider, Boot or Logon Autostart Execution |
Anomaly |
Windows Service Stop Via Net and SC Application |
Service Stop |
Anomaly |
Windows Steal or Forge Kerberos Tickets Klist |
Steal or Forge Kerberos Tickets |
Hunting |
Windows System Network Config Discovery Display DNS |
System Network Configuration Discovery |
Anomaly |
Windows System Network Connections Discovery Netsh |
System Network Connections Discovery |
Anomaly |
Windows System User Discovery Via Quser |
System Owner/User Discovery |
Hunting |
Windows WMI Process And Service List |
Windows Management Instrumentation |
Anomaly |
WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
Data Sources
References
Source: GitHub | Version: 1