Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware–spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Endpoint_Processes, Network_Traffic
  • Last Updated: 2020-02-04
  • Author: David Dorsey, Splunk
  • ID: cf309d0d-d4aa-4fbb-963d-1e79febd3756

Narrative

Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques–such as those in this Analytic Story–to detect and or mitigate the effects of ransomware.

Detections

Name Technique Type
7zip CommandLine To SMB Share Path Archive via Utility, Archive Collected Data Hunting
Allow File And Printing Sharing In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Allow Operation with Consent Admin Abuse Elevation Control Mechanism TTP
Attempt To Delete Services Service Stop TTP
Attempt To Disable Services Service Stop TTP
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
CMLUA Or CMSTPLUA UAC Bypass Signed Binary Proxy Execution, CMSTP TTP
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal on Host TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
Conti Common Exec parameter User Execution TTP
Delete A Net User Account Access Removal Anomaly
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect Renamed RClone Automated Exfiltration Hunting
Detect SharpHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect SharpHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect SharpHound Usage Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Disable AMSI Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable ETW Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable Logs Using WevtUtil Indicator Removal on Host, Clear Windows Event Logs TTP
Disable Net User Account Service Stop TTP
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses TTP
Excessive Service Stop Attempt Service Stop Anomaly
Excessive Usage Of Net App Account Access Removal Anomaly
Excessive Usage Of SC Service Utility System Services, Service Execution Anomaly
Execute Javascript With Jscript COM CLSID Command and Scripting Interpreter, Visual Basic TTP
Fsutil Zeroing File Indicator Removal on Host TTP
ICACLS Grant Command File and Directory Permissions Modification TTP
Known Services Killed by Ransomware Inhibit System Recovery TTP
Modification Of Wallpaper Defacement TTP
Msmpeng Application DLL Side Loading DLL Side-Loading, Hijack Execution Flow TTP
Permission Modification using Takeown App File and Directory Permissions Modification TTP
Powershell Disable Security Monitoring Disable or Modify Tools, Impair Defenses TTP
Powershell Enable SMB1Protocol Feature Obfuscated Files or Information, Indicator Removal from Tools TTP
Powershell Execute COM Object Component Object Model Hijacking, Event Triggered Execution TTP
Prevent Automatic Repair Mode using Bcdedit Inhibit System Recovery TTP
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recursive Delete of Directory In Batch CMD File Deletion, Indicator Removal on Host TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Resize Shadowstorage Volume Service Stop TTP
Revil Common Exec Parameter User Execution TTP
Revil Registry Entry Modify Registry TTP
SMB Traffic Spike SMB/Windows Admin Shares, Remote Services Anomaly
SMB Traffic Spike - MLTK SMB/Windows Admin Shares, Remote Services Anomaly
Schtasks used for forcing a reboot Scheduled Task, Scheduled Task/Job TTP
Spike in File Writes   Anomaly
Start Up During Safe Mode Boot Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Suspicious Event Log Service Behavior Indicator Removal on Host, Clear Windows Event Logs TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Suspicious wevtutil Usage Clear Windows Event Logs, Indicator Removal on Host TTP
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities TTP
TOR Traffic Application Layer Protocol, Web Protocols TTP
UAC Bypass With Colorui COM Object Signed Binary Proxy Execution, CMSTP TTP
USN Journal Deletion Indicator Removal on Host TTP
Uninstall App Using MsiExec Msiexec, Signed Binary Proxy Execution TTP
Unusually Long Command Line   Anomaly
Unusually Long Command Line - MLTK   Anomaly
WBAdmin Delete System Backups Inhibit System Recovery TTP
Wbemprox COM Object Execution Signed Binary Proxy Execution, CMSTP TTP
WevtUtil Usage To Clear Logs Indicator Removal on Host, Clear Windows Event Logs TTP
Wevtutil Usage To Disable Logs Indicator Removal on Host, Clear Windows Event Logs TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job TTP
Windows DiskCryptor Usage Data Encrypted for Impact Hunting
Windows Event Log Cleared Indicator Removal on Host, Clear Windows Event Logs TTP

Reference

source | version: 1