GitHub Repo

Analytics Story: Ransomware

Updated Date: 2026-05-13 ID: cf309d0d-d4aa-4fbb-963d-1e79febd3756 Author: David Dorsey, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.

Why it matters

Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Prevent Automatic Repair Mode using Bcdedit Inhibit System Recovery TTP
Windows Excessive Usage Of Net App Account Access Removal Anomaly
Detect Remote Access Software Usage Registry Remote Access Tools Anomaly
Disable ETW Through Registry Disable or Modify Tools TTP
Clear Unallocated Sector Using Cipher App File Deletion TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Windows Disable Shutdown Button Through Registry Modify Registry Anomaly
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Detect Remote Access Software Usage FileInfo Remote Access Tools Anomaly
Windows Event Log Cleared Clear Windows Event Logs TTP
Spike in File Writes None Anomaly
7zip CommandLine To SMB Share Path Archive via Utility Hunting
Windows Excessive Service Stop Attempt Service Stop TTP
MS Exchange Mailbox Replication service writing Active Server Pages External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Rundll32 LockWorkStation Rundll32 Anomaly
Detect Remote Access Software Usage DNS Remote Access Tools Anomaly
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Detect SharpHound Command-Line Arguments Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Powershell Disable Security Monitoring Disable or Modify Tools TTP
Detect Renamed RClone Automated Exfiltration Hunting
Windows Eventlog Cleared Via Wevtutil Clear Windows Event Logs Anomaly
Detect Remote Access Software Usage File Remote Access Tools Anomaly
Allow File And Printing Sharing In Firewall Cloud Firewall TTP
USN Journal Deletion Indicator Removal TTP
Common Ransomware Extensions Data Destruction TTP
Windows Disable Change Password Through Registry Modify Registry Anomaly
ICACLS Grant Command File and Directory Permissions Modification Anomaly
Unusually Long Command Line None Anomaly
Windows Disable LogOff Button Through Registry Modify Registry Anomaly
Powershell Enable SMB1Protocol Feature Indicator Removal from Tools TTP
Windows Remote Image Load Command and Scripting Interpreter, Exploitation for Privilege Escalation, Shared Modules, Exploitation for Client Execution Anomaly
Excessive Usage Of SC Service Utility Service Execution Anomaly
Fsutil Zeroing File Indicator Removal TTP
WBAdmin Delete System Backups Inhibit System Recovery TTP
Windows Process Execution in Temp Dir Match Legitimate Resource Name or Location, Create or Modify System Process Anomaly
Detect Remote Access Software Usage Traffic Remote Access Tools Anomaly
Uninstall App Using MsiExec Msiexec TTP
Detect Remote Access Software Usage Process Remote Access Tools Anomaly
Windows Scheduled Task with Suspicious Command Scheduled Task TTP
Detect Remote Access Software Usage URL Remote Access Tools Anomaly
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Detect SharpHound File Modifications Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task TTP
Windows Set Account Password Policy To Unlimited Via Net Service Stop Anomaly
Disable Logs Using WevtUtil Clear Windows Event Logs TTP
Permission Modification using Takeown App File and Directory Permissions Modification Anomaly
Suspicious wevtutil Usage Clear Windows Event Logs TTP
Windows Event Logging Service Has Shutdown Clear Windows Event Logs Hunting
Windows InstallUtil in Non Standard Path Rename Legitimate Utilities, InstallUtil TTP
Windows DiskCryptor Usage Data Encrypted for Impact Hunting
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
Revil Common Exec Parameter User Execution TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Allow Network Discovery In Firewall Cloud Firewall TTP
Msmpeng Application DLL Side Loading DLL TTP
Windows .Key File Creation in Root Directory Data Encrypted for Impact Anomaly
Conti Common Exec parameter User Execution TTP
Windows Disable Windows Group Policy Features Through Registry Modify Registry Anomaly
Common Ransomware Notes Data Destruction Hunting
Windows Hide Notification Features Through Registry Modify Registry Anomaly
Revil Registry Entry Modify Registry TTP
Windows Scheduled Task with Suspicious Name Scheduled Task TTP
System Processes Run From Unexpected Locations Rename Legitimate Utilities Anomaly
UAC Bypass With Colorui COM Object CMSTP TTP
Cisco Secure Firewall - Remote Access Software Usage Traffic Remote Access Tools Anomaly
Windows Registry Modification for Safe Mode Persistence Registry Run Keys / Startup Folder TTP
Windows Disable Memory Crash Dump Data Destruction TTP
Disable AMSI Through Registry Disable or Modify Tools TTP
Schtasks used for forcing a reboot Scheduled Task TTP
Windows RMM Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication Anomaly
Recursive Delete of Directory In Batch CMD File Deletion TTP
TOR Traffic Multi-hop Proxy TTP
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
Windows Disable Lock Workstation Feature Through Registry Modify Registry Anomaly
Wbemprox COM Object Execution CMSTP TTP
Powershell Execute COM Object PowerShell, Component Object Model Hijacking TTP
Modification Of Wallpaper Defacement TTP
Windows DotNet Binary in Non Standard Path Rename Legitimate Utilities, InstallUtil TTP
Windows Security And Backup Services Stop Inhibit System Recovery TTP
CMLUA Or CMSTPLUA UAC Bypass CMSTP TTP
Disable Windows Behavior Monitoring Disable or Modify Tools TTP
Windows NirSoft AdvancedRun Tool TTP
Allow Operation with Consent Admin Abuse Elevation Control Mechanism TTP
Windows Raccine Scheduled Task Deletion Disable or Modify Tools TTP
Execute Javascript With Jscript COM CLSID Visual Basic TTP
Detect SharpHound Usage Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
SMB Traffic Spike SMB/Windows Admin Shares Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 1102 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log System 104 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Palo Alto Network Traffic Network icon Network pan:traffic not_applicable
Windows Event Log Security 4700 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4702 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Palo Alto Network Threat Network icon Network pan:threat not_applicable
Windows Event Log Security 1100 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 12 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Cisco Secure Firewall Threat Defense Connection Event Other cisco:sfw:estreamer not_applicable
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log System 7036 Windows icon Windows XmlWinEventLog XmlWinEventLog:System

References

Source: GitHub | Version: 2