Analytics Story: Ransomware

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.

Why it matters

Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Scheduled tasks used in BadRabbit ransomware Scheduled Task TTP
7zip CommandLine To SMB Share Path Archive via Utility, Archive Collected Data Hunting
Allow File And Printing Sharing In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Allow Operation with Consent Admin Abuse Elevation Control Mechanism TTP
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal TTP
CMLUA Or CMSTPLUA UAC Bypass System Binary Proxy Execution, CMSTP TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
Conti Common Exec parameter User Execution TTP
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect Remote Access Software Usage File Remote Access Software Anomaly
Detect Remote Access Software Usage FileInfo Remote Access Software Anomaly
Detect Remote Access Software Usage Process Remote Access Software Anomaly
Detect Renamed RClone Automated Exfiltration Hunting
Detect SharpHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect SharpHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect SharpHound Usage Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Disable AMSI Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable ETW Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable Logs Using WevtUtil Indicator Removal, Clear Windows Event Logs TTP
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses TTP
Excessive Service Stop Attempt Service Stop Anomaly
Excessive Usage Of Net App Account Access Removal Anomaly
Excessive Usage Of SC Service Utility System Services, Service Execution Anomaly
Execute Javascript With Jscript COM CLSID Command and Scripting Interpreter, Visual Basic TTP
Fsutil Zeroing File Indicator Removal TTP
ICACLS Grant Command File and Directory Permissions Modification TTP
Known Services Killed by Ransomware Inhibit System Recovery TTP
Modification Of Wallpaper Defacement TTP
MS Exchange Mailbox Replication service writing Active Server Pages Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services TTP
Msmpeng Application DLL Side Loading DLL Side-Loading, Hijack Execution Flow TTP
Permission Modification using Takeown App File and Directory Permissions Modification TTP
Powershell Disable Security Monitoring Disable or Modify Tools, Impair Defenses TTP
Powershell Enable SMB1Protocol Feature Obfuscated Files or Information, Indicator Removal from Tools TTP
Powershell Execute COM Object Component Object Model Hijacking, Event Triggered Execution, PowerShell TTP
Prevent Automatic Repair Mode using Bcdedit Inhibit System Recovery TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recursive Delete of Directory In Batch CMD File Deletion, Indicator Removal TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Revil Common Exec Parameter User Execution TTP
Revil Registry Entry Modify Registry TTP
Rundll32 LockWorkStation System Binary Proxy Execution, Rundll32 Anomaly
Schtasks used for forcing a reboot Scheduled Task, Scheduled Task/Job TTP
Spike in File Writes None Anomaly
Suspicious Event Log Service Behavior Indicator Removal, Clear Windows Event Logs Hunting
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Suspicious wevtutil Usage Clear Windows Event Logs, Indicator Removal TTP
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities Anomaly
UAC Bypass With Colorui COM Object System Binary Proxy Execution, CMSTP TTP
Uninstall App Using MsiExec Msiexec, System Binary Proxy Execution TTP
Unusually Long Command Line None Anomaly
Unusually Long Command Line - MLTK None Anomaly
USN Journal Deletion Indicator Removal TTP
WBAdmin Delete System Backups Inhibit System Recovery TTP
Wbemprox COM Object Execution System Binary Proxy Execution, CMSTP TTP
Windows Disable Change Password Through Registry Modify Registry Anomaly
Windows Disable Lock Workstation Feature Through Registry Modify Registry Anomaly
Windows Disable LogOff Button Through Registry Modify Registry Anomaly
Windows Disable Memory Crash Dump Data Destruction TTP
Windows Disable Shutdown Button Through Registry Modify Registry Anomaly
Windows Disable Windows Group Policy Features Through Registry Modify Registry Anomaly
Windows DiskCryptor Usage Data Encrypted for Impact Hunting
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows Event Log Cleared Indicator Removal, Clear Windows Event Logs TTP
Windows Hide Notification Features Through Registry Modify Registry Anomaly
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows NirSoft AdvancedRun Tool TTP
Windows Raccine Scheduled Task Deletion Disable or Modify Tools TTP
Windows Registry Modification for Safe Mode Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Windows Remote Access Software Hunt Remote Access Software Hunting
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
Detect Remote Access Software Usage DNS Remote Access Software Anomaly
Detect Remote Access Software Usage Traffic Remote Access Software Anomaly
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
SMB Traffic Spike SMB/Windows Admin Shares, Remote Services Anomaly
SMB Traffic Spike - MLTK SMB/Windows Admin Shares, Remote Services Anomaly
TOR Traffic Proxy, Multi-hop Proxy TTP
Detect Remote Access Software Usage URL Remote Access Software Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Palo Alto Network Threat Network icon Network pan:threat pan:threat
Palo Alto Network Traffic Network icon Network pan:traffic screenconnect_palo_traffic
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 1100 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 1102 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7036 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References


Source: GitHub | Version: 1