Analytics Story: Prestige Ransomware

Updated Date: 2026-05-13 ID: 8b8d8506-b931-450c-b794-f24184ca1deb Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware

Why it matters

This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows System User Discovery Via Quser	System Owner/User Discovery	Hunting
Deleting Shadow Copies	Inhibit System Recovery	TTP
Windows ClipBoard Data via Get-ClipBoard	Clipboard Data	Anomaly
Recon AVProduct Through Pwh or WMI	Gather Victim Host Information	TTP
Impacket Lateral Movement WMIExec Commandline Parameters	SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
WinEvent Scheduled Task Created Within Public Path	Scheduled Task	TTP
Windows System Network Connections Discovery Netsh	System Network Connections Discovery	Anomaly
WinEvent Windows Task Scheduler Event Action Started	Scheduled Task	Hunting
Windows Indirect Command Execution Via Series Of Forfiles	Indirect Command Execution	Anomaly
Windows Cached Domain Credentials Reg Query	Cached Domain Credentials	Anomaly
Windows Network Connection Discovery Via Net	System Network Connections Discovery	Hunting
Windows Suspicious Process File Path	Match Legitimate Resource Name or Location, Create or Modify System Process	TTP
Network Discovery Using Route Windows App	Internet Connection Discovery	Hunting
Ntdsutil Export NTDS	NTDS	TTP
Windows Excessive Usage Of Net App	Account Access Removal	Anomaly
Windows Service Stop Attempt	Service Stop	Hunting
Windows Credentials in Registry Reg Query	Credentials in Registry	Anomaly
Create or delete windows shares using net exe	Network Share Connection Removal	TTP
Network Connection Discovery With Arp	System Network Connections Discovery	Hunting
Excessive Usage Of Cacls App	File and Directory Permissions Modification	Anomaly
WBAdmin Delete System Backups	Inhibit System Recovery	TTP
Windows New Default File Association Value Set	Change Default File Association	Hunting
Windows WMI Process And Service List	Windows Management Instrumentation	Anomaly
Windows System Network Config Discovery Display DNS	System Network Configuration Discovery	Anomaly
Windows Private Keys Discovery	Private Keys	Anomaly
Schtasks scheduling job on remote system	Scheduled Task	TTP
Impacket Lateral Movement smbexec CommandLine Parameters	SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Windows Change File Association Command To Notepad	Change Default File Association	TTP
Windows Office Product Spawned Rundll32 With No DLL	Spearphishing Attachment	TTP
Windows Steal or Forge Kerberos Tickets Klist	Steal or Forge Kerberos Tickets	Hunting
Common Ransomware Extensions	Data Destruction	TTP
Windows Registry Entries Restored Via Reg	Query Registry	Hunting
Windows Information Discovery Fsutil	System Information Discovery	Anomaly
Windows Security Support Provider Reg Query	Security Support Provider	Anomaly
Dump LSASS via comsvcs DLL	LSASS Memory	TTP
Network Connection Discovery With Netstat	System Network Connections Discovery	Hunting
Windows Credentials from Password Stores Query	Credentials from Password Stores	Anomaly
Executable File Written in Administrative SMB Share	SMB/Windows Admin Shares	TTP
Impacket Lateral Movement Commandline Parameters	SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Windows Group Discovery Via Net	Local Groups, Domain Groups	Hunting
Scheduled Task Deleted Or Created via CMD	Scheduled Task	Anomaly
Windows Password Managers Discovery	Password Managers	Anomaly
Windows Registry Entries Exported Via Reg	Query Registry	Hunting

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Powershell Script Block Logging 4104	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Windows Event Log Security 4698	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log TaskScheduler 201	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log TaskScheduler 200	Windows	`wineventlog`	`WinEventLog:Microsoft-Windows-TaskScheduler/Operational`
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 5145	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`

References

https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/

Source: GitHub | Version: 2