Try in Splunk Security Cloud

Description

The search looks for file modifications with extensions commonly used by Ransomware

  • Type: Hunting
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-11-09
  • Author: David Dorsey, Splunk
  • ID: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec

ATT&CK

ID Technique Tactic
T1485 Data Destruction Impact

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)`
| rex field=file_name "(?<file_extension>\.[^\.]+)$" 
| `ransomware_extensions` 
| `common_ransomware_extensions_filter`

Associated Analytic Story

How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
This search produces fields (query,query_length,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n1. Label: Name, Field: Name\

  1. \
  2. Label: File Extension, Field: file_extension
    Detailed documentation on how to create a new field within Incident Review may be found here: https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details

Required field

  • _time
  • Filesystem.user
  • Filesystem.dest
  • Filesystem.file_path
  • Filesystem.file_name

Kill Chain Phase

  • Actions on Objectives

Known False Positives

It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.

RBA

Risk Score Impact Confidence Message
90.0 90 100 A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware file extension and should be reviewed immediately.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 4