Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware–spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.

Narrative

Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques–such as those in this Analytic Story–to detect and or mitigate the effects of ransomware.

Detections

Name Technique Type
7zip CommandLine To SMB Share Path Archive via Utility, Archive Collected Data Hunting
Allow File And Printing Sharing In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Allow Operation with Consent Admin Abuse Elevation Control Mechanism TTP
Attempt To Delete Services Service Stop, Create or Modify System Process, Windows Service TTP
Attempt To Disable Services Service Stop TTP
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
CMLUA Or CMSTPLUA UAC Bypass System Binary Proxy Execution, CMSTP TTP
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal TTP
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
Conti Common Exec parameter User Execution TTP
Delete A Net User Account Access Removal Anomaly
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect Remote Access Software Usage DNS Remote Access Software Anomaly
Detect Remote Access Software Usage File Remote Access Software Anomaly
Detect Remote Access Software Usage FileInfo Remote Access Software Anomaly
Detect Remote Access Software Usage Process Remote Access Software Anomaly
Detect Remote Access Software Usage Traffic Remote Access Software Anomaly
Detect Remote Access Software Usage URL Remote Access Software Anomaly
Detect Renamed RClone Automated Exfiltration Hunting
Detect SharpHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect SharpHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect SharpHound Usage Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Disable AMSI Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable ETW Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable Logs Using WevtUtil Indicator Removal, Clear Windows Event Logs TTP
Disable Net User Account Service Stop, Valid Accounts TTP
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses TTP
Excessive Service Stop Attempt Service Stop Anomaly
Excessive Usage Of Net App Account Access Removal Anomaly
Excessive Usage Of SC Service Utility System Services, Service Execution Anomaly
Execute Javascript With Jscript COM CLSID Command and Scripting Interpreter, Visual Basic TTP
Fsutil Zeroing File Indicator Removal TTP
Fsutil Zeroing File Indicator Removal TTP
ICACLS Grant Command File and Directory Permissions Modification TTP
Known Services Killed by Ransomware Inhibit System Recovery TTP
MS Exchange Mailbox Replication service writing Active Server Pages Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services TTP
Modification Of Wallpaper Defacement TTP
Msmpeng Application DLL Side Loading DLL Side-Loading, Hijack Execution Flow TTP
Permission Modification using Takeown App File and Directory Permissions Modification TTP
Powershell Disable Security Monitoring Disable or Modify Tools, Impair Defenses TTP
Powershell Enable SMB1Protocol Feature Obfuscated Files or Information, Indicator Removal from Tools TTP
Powershell Execute COM Object Component Object Model Hijacking, Event Triggered Execution, PowerShell TTP
Prevent Automatic Repair Mode using Bcdedit Inhibit System Recovery TTP
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recursive Delete of Directory In Batch CMD File Deletion, Indicator Removal TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Resize Shadowstorage Volume Service Stop TTP
Revil Common Exec Parameter User Execution TTP
Revil Registry Entry Modify Registry TTP
Rundll32 LockWorkStation System Binary Proxy Execution, Rundll32 Anomaly
SMB Traffic Spike SMB/Windows Admin Shares, Remote Services Anomaly
SMB Traffic Spike - MLTK SMB/Windows Admin Shares, Remote Services Anomaly
Scheduled tasks used in BadRabbit ransomware Scheduled Task TTP
Schtasks used for forcing a reboot Scheduled Task, Scheduled Task/Job TTP
Spike in File Writes   Anomaly
Suspicious Event Log Service Behavior Indicator Removal, Clear Windows Event Logs TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Suspicious wevtutil Usage Clear Windows Event Logs, Indicator Removal TTP
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities Anomaly
TOR Traffic Proxy, Multi-hop Proxy TTP
UAC Bypass With Colorui COM Object System Binary Proxy Execution, CMSTP TTP
USN Journal Deletion Indicator Removal TTP
Uninstall App Using MsiExec Msiexec, System Binary Proxy Execution TTP
Unusually Long Command Line   Anomaly
Unusually Long Command Line - MLTK   Anomaly
WBAdmin Delete System Backups Inhibit System Recovery TTP
WBAdmin Delete System Backups Inhibit System Recovery TTP
Wbemprox COM Object Execution System Binary Proxy Execution, CMSTP TTP
WevtUtil Usage To Clear Logs Indicator Removal, Clear Windows Event Logs TTP
Wevtutil Usage To Disable Logs Indicator Removal, Clear Windows Event Logs TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job TTP
Windows Disable Change Password Through Registry Modify Registry Anomaly
Windows Disable Lock Workstation Feature Through Registry Modify Registry Anomaly
Windows Disable LogOff Button Through Registry Modify Registry Anomaly
Windows Disable Memory Crash Dump Data Destruction TTP
Windows Disable Shutdown Button Through Registry Modify Registry Anomaly
Windows Disable Windows Group Policy Features Through Registry Modify Registry Anomaly
Windows DiskCryptor Usage Data Encrypted for Impact Hunting
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Anomaly
Windows Event Log Cleared Indicator Removal, Clear Windows Event Logs TTP
Windows Hide Notification Features Through Registry Modify Registry Anomaly
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows LOLBin Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Anomaly
Windows NirSoft AdvancedRun Tool TTP
Windows Raccine Scheduled Task Deletion Disable or Modify Tools TTP
Windows Registry Modification for Safe Mode Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Windows Remote Access Software Hunt Remote Access Software Hunting

Reference

source | version: 1