Analytics Story: Ransomware Cloud

Date: 2020-10-27 ID: f52f6c43-05f8-4b19-a9d3-5b8c56da91c2 Author: Rod Soto, David Dorsey, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.

Why it matters

Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
AWS Detect Users creating keys with encrypt policy without MFA Data Encrypted for Impact TTP
AWS Detect Users with KMS keys performing encryption S3 Data Encrypted for Impact Anomaly
O365 SharePoint Malware Detection Malicious File, User Execution TTP
O365 Threat Intelligence Suspicious File Detected Malicious File, User Execution TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
AWS CloudTrail AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail CreateKey AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail PutKeyPolicy AWS icon AWS aws:cloudtrail aws_cloudtrail

References

Source: GitHub | Version: 1