This document describes the event architecture for ransomware detection logic, detailing the structure of events, monitoring components, and the decision-making process for identifying potential ransomware activity.
This section describes the event-driven architecture that underpins ransomware detection logic. It provides a unified schema, event handling flow, and classification of event types to ensure consistency, extensibility, and reliable threat evaluation across all components.
The event system supports four primary event categories:
MONITOR– represent raw telemetry from observation components.ALERT– represent detected threats or correlated anomalies.SYSTEM– represent internal system state changes, operational statuses, or health indicators.USER– represent user-initiated actions (e.g., configuration, acknowledgement, or response).
Event consists of two main sections: Metadata and Payload. The Metadata section contains common fields that provide context about the event, while the Payload section contains specific details relevant to the type of event being reported.
Metadata Fields:
event_id[string] Identifies the monitoring component generating the event.event_type[string] Type of the event (e.g., MONITOR, ALERT).provider[string] Name of the event publisher.schema_version[string] Version of the event schema.timestamp[iso-timestamp] Timestamp of when the event occurred.
Metadata Fields: Note: Payloads vary based on the type of event.
Example Event:
{
"metadata": {
"event_id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"event_type": ... EventType ...,
"provider": ... ProviderName ...,
"schema_version": "v1",
"timestamp": "2025-10-18T11:31:51.9754898Z"
},
"payload": {
... specific event payload ...
}
}Providers are components responsible for generating events. Each provider focuses on a specific aspect of system.
- FilesystemMonitor
EventType: MONITOR - ProcessMonitor
EventType: MONITOR - RegistryMonitor
EventType: MONITOR - NetworkMonitor
EventType: MONITOR - IOMonitor
EventType: MONITOR - DetectionEngine
EventType: SYSTEM - AlertHandler
EventType: ALERT
The monitoring components generate events that capture various system activities relevant to ransomware detection. They
publish primarily MONITOR type events. The primary monitoring components include:
FileSystemMonitorMonitors file system activities.ProcessMonitorMonitors process-related activities.RegistryMonitorMonitors registry activities.NetworkMonitorMonitors network activities.IOMonitorMonitors input/output activities.
Example Monitor Event:
{
"metadata": {
"event_id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"event_type": "MONITOR",
"provider": ... ProviderName ...,
"schema_version": "v1",
"timestamp": "2025-10-18T11:31:51.9754898Z"
},
"payload": {
"process_id": 1384,
"thread_id": 1508,
"subject_domain_name": "DESKTOP-XXXXXX",
"process_name": "malware.exe",
"process_path": "C:\malware.exe",
"process_creation_time": "2025-10-18T11:28:50.9653716Z",
"activity": ... Activity Name ...,
"details": {
... specific details ...
}
}
}Each monitoring component generates events with specific payload, as outlined in the sections
below.
FilesystemMonitor monitors various file system activities that are commonly associated with ransomware behavior. Following are the key activities monitored:
FileCreationThis activity includes file creation eventsFileModificationThis activity includes file modification eventsFileRename/ExtensionChangeThis activity includes file rename and extension change eventsDirectoryAccessThis activity includes unique directories accessedBytesWrittenThis activity includes total bytes writtenFileEntropyChangeThis activity includes entropy change in filesShadowCopyDeletedThis activity includes deletion of shadow copiesShadowCopyCreatedThis activity includes shadow copy creation attemptsRansomNoteCreatedThis activity includes ransom-note creation
Example FileCreation activity provided by FilesystemMonitor:
{
"metadata": {
"event_id": "56cc5f8a-1d29-4e11-b7ff-24adbe004cd1",
"event_type": "MONITOR",
"provider": "FilesystemMonitor",
"schema_version": "v1",
"timestamp": "2025-10-18T11:31:51.9754898Z"
},
"payload": {
"process_id": 1384,
"thread_id": 1508,
"subject_domain_name": "DESKTOP-XXXXXX",
"process_name": "malware.exe",
"process_path": "C:\malware.exe",
"process_creation_time": "2025-10-18T11:28:50.9653716Z",
"activity": "FileCreation",
"details": {
"file_path": "C:\Users\User\Documents\important_file.txt"
"file_size": 2048
"entropy": 7.5
}
}
}activity: FileCreation details:
file_path[string] Path of the created file (e.g., C:\Users\User\Documents\important_file.txt)file_size[int] Size of the created file in bytes (e.g., 2048)entropy[float] Entropy value of the created file (e.g., 7.5)
activity: FileModification details:
file_path[string] Path of the modified file (e.g., C:\Users\User\Documents\important_file.txt)previous_file_size[int] Size of the file before modification in bytes (e.g., 2048)new_file_size[int] Size of the file after modification in bytes (e.g., 4096)previous_entropy[float] Entropy value before modification (e.g., 6.0)new_entropy[float] Entropy value after modification (e.g., 7.8)
activity: FileRenameExtensionChange details:
old_file_path[string] Original path of the file (e.g., C:\Users\User\Documents\important_file.txt)new_file_path[string] New path of the file (e.g., C:\Users\User\Documents\important_file.enc)file_size[int] Size of the file in bytes (e.g., 4096)entropy[float] Entropy value of the file (e.g., 7.8)
activity: DirectoryAccess details:
directory_path[string] Path of the accessed directory (e.g., C:\Users\User\Documents)
activity: BytesWritten details:
total_bytes_written[int] Total number of bytes written to files (e.g., 10485760)
activity: FileEntropyChange details:
file_path[string] Path of the file (e.g., C:\Users\User\Documents\important_file.txt)previous_entropy[float] Entropy value before change (e.g., 6.0)new_entropy[float] Entropy value after change (e.g., 7.8)
activity: ShadowCopyDeleted details:
shadow_copy_id[string] Identifier of the deleted shadow copy (e.g., {12345678-1234-1234-1234-1234567890ab})
activity: ShadowCopyCreated details:
shadow_copy_id[string] Identifier of the created shadow copy (e.g., {87654321-4321-4321-4321-ba0987654321})
activity: RansomNoteCreated details:
file_path[string] Path of the created ransom note file (e.g., C:\Users\User\Desktop\README.txt)
This section monitors various process-related activities that may indicate ransomware behavior.
activity: ProcessCreation details:
process_name[string] Name of the created process (e.g., ransomware.exe)process_id_[int] Identifier of the created process (e.g., 4567)parent_process_name[string] Name of the parent process (e.g., explorer.exe)parent_process_id_[int] Identifier of the parent process (e.g., 1234)
activity: ParentChildProcessRelationship details:
parent_process_name[string] Name of the parent process (e.g., cmd.exe)child_process_name[string] Name of the child process (e.g., powershell.exe)relationship_count[int] Number of times this relationship has occurred (e.g., 5)
activity: SuspiciousBinaryUsage details:
process_name[string] Name of the suspicious binary (e.g., certutil.exe)process_id_[int] Identifier of the process (e.g., 7890)command_line[string] Command line arguments used (e.g., certutil -decode input.txt output.exe)
activity: ObfuscatedCommandLine details:
process_name[string] Name of the process (e.g., powershell.exe)process_id_[int] Identifier of the process (e.g., 3456)command_line[string] Obfuscated command line arguments (e.g., powershell -EncodedCommand ...)
activity: ProcessLifetime details:
process_name[string] Name of the process (e.g., malware.exe)process_id_[int] Identifier of the process (e.g., 5678)lifetime_seconds[int] Lifetime of the process in seconds (e.g., 120)
activity: ModuleLoadAnomaly details:
process_name[string] Name of the process (e.g., svchost.exe)process_id_[int] Identifier of the process (e.g., 2345)module_name[string] Name of the loaded module (e.g., suspicious.dll)module_path[string] Path of the loaded module (e.g., C:\Windows\System32\suspicious.dll)
activity: PrivilegeEscalationAttempt details:
process_name[string] Name of the process (e.g., exploit.exe)process_id_[int] Identifier of the process (e.g., 6789)escalation_method[string] Method used for privilege escalation (e.g., token manipulation)
This section monitors various registry activities that may indicate ransomware behavior.
activity: RegistryWrite details:
RegistryPath[string] Path of the modified registry key (e.g.,KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run)ValueName[string] Name of the modified value (e.g., MalwareStartup)ValueData[string] Data of the modified value (e.g., C:\malware.exe)
activity: SecurityFeatureToggle details:
FeatureName[string] Name of the security feature (e.g., Windows Defender)NewState[string] New state of the feature (e.g., Disabled)
activity: SystemRestoreRemoval details:
RestorePointID[string] Identifier of the removed restore point (e.g., {abcdef12-3456-7890-abcd-ef1234567890})
This section monitors various network activities that may indicate ransomware behavior.
activity: OutboundConnection details:
destination_ip[string] IP address of the outbound connection (e.g., 192.168.1.100)destination_port[int] Port number of the outbound connection (e.g., 443)protocol[string] Protocol used for the connection (e.g., TCP)
activity: RareForeignIPConnection details:
destination_ip[string] IP address of the outbound connection (e.g., 203.0.113.50)country[string] Country of the destination IP (e.g., Russia)connection_count[int] Number of connections to this IP (e.g., 3)
activity: DataVolumePerConnection details:
destination_ip[string] IP address of the outbound connection (e.g., 198.51.100.25)data_volume_bytes[int] Amount of data sent in bytes (e.g., 1048576)connection_duration_seconds[int] Duration of the connection in seconds (e.g., 60)
activity: PortProtocolAnomaly details:
destination_port[int] Port number of the outbound connection (e.g., 8080)protocol[string] Protocol used for the connection (e.g., UDP)
This section monitors various input/output activities that may indicate ransomware behavior.
activity: HighCPUUtilization details:
cpu_usage_percent[float] CPU usage percentage (e.g., 95.5)
activity: HighDiskIO details:
disk_read_bytes_per_sec[int] Disk read bytes per second (e.g., 10485760)disk_write_bytes_per_sec[int] Disk write bytes per second (e.g., 20971520)
activity: EncryptionAPICall details:
api_name[string] Name of the encryption-related API (e.g., CryptEncrypt)process_name[string] Name of the process making the API call (e.g., ransomware.exe)
Alert events are generated when the detection logic identifies potential ransomware activity based on the analysis of the monitored events. These alerts provide insights into the nature of the detected activity and the involved components.
- RansomwareActivityDetected
EventType: ALERT - SuspiciousFileSystemActivity
EventType: ALERT - SuspiciousProcessActivity
EventType: ALERT - SuspiciousRegistryActivity
EventType: ALERT - SuspiciousNetworkActivity
EventType: ALERT - SuspiciousIOActivity
EventType: ALERT
Example Alert Event:
{
"metadata": {
"event_id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"event_type": "ALERT",
"provider": "AlertHandler"
"schema_version": "v1,
"timestamp": "2025-10-18T12:00:00.0000000Z",
},
"payload": {
"alert_id": "alert-123456",
"severity": "High",
"description": "Ransomware activity detected involving process malware.exe",
"involved_process_name": "malware.exe",
"involved_process_id": 1384,
"involved_process_path": "C:\malware.exe",
"related_events": [
{
... event details ...
}
]
}
}AlertHandler generates events with specific payload fields according to the type of alert being generated, as outlined
in the sections below.
This alert indicates that the detection logic has identified behavior consistent with ransomware activity.
This alert indicates that suspicious file system activities have been detected that may be indicative of ransomware behavior.
This alert indicates that suspicious process-related activities have been detected that may be indicative of ransomware behavior.
This alert indicates that suspicious registry activities have been detected that may be indicative of ransomware behavior.
This alert indicates that suspicious network activities have been detected that may be indicative of ransomware behavior.
This alert indicates that suspicious input/output activities have been detected that may be indicative of ransomware behavior.
Each event moves through a pipeline. This ensures loose coupling, fault isolation, and high concurrency for real-time
detection. The event data is handled by MonitorHandler. This component is responsible for parsing the event,
extracting relevant fields, and passing it to the DetectionEngine for analysis.
Below simple diagram illustrates the flow diagram of an event through the system:
+------------------+
+---------------->| LogManager |
| | |
| +------------------+
| Λ
| |
| |
+------------------+ +------------------+ +------------------+ +------------------+ +------------------+
| Monitoring | ---> | MonitorHandler | ---> | DetectionEngine | ---> | AlertHandler | ---> | Router |
| Components | | | | | | | | |
+------------------+ +------------------+ +------------------+ +------------------+ +------------------+
Λ Λ Λ Λ | | |
| | | | | | |
| | | | v v v
FileSystemMonitor Event Correlation +------------------+ +------------------+
ProcessMonitor | Executor | | Frontend |
RegistryMonitor | | | |
NetworkMonitor +------------------+ +------------------+
IOMonitor
Channels maintain bounded queues to prevent overflow. When queue utilization > 80%, a SYSTEM.Channel.CongestionDetected event is emitted. Priority scheduling ensures alerts and system events are processed before low-severity monitors.
Events include a schema_version field in their metadata to indicate the version of the event schema being used. This
allows for backward compatibility and smooth transitions when the event structure is updated. The system validates the
received events against the specified schema version to ensure proper parsing and handling.
All events, including monitor events and alerts, are stored in a centralized event store for auditing, analysis, and historical reference. The event store supports querying based on various criteria such as event type, timestamp, severity, and involved components.
The system maintains a schema registry that defines the structure and fields for each event type. This registry ensures that all components adhere to a consistent event format, facilitating interoperability and ease of integration across different modules. The schema registry is versioned to accommodate changes and updates to the event definitions over time. Event schemas are validated against the registry during event generation and processing.
The detection logic aggregates and analyzes the events generated by the various monitoring components. It uses thresholds, patterns, and correlations to identify potential ransomware activity. Alerts are generated when suspicious behavior is detected based on the defined criteria.
The system continuously monitors and logs events from all Monitors. When an event is generated, it is evaluated against
the detection logic. The DetectionEngine aggregates events over a defined time window and applies correlation rules to
identify patterns indicative of ransomware activity. It looks for combinations of high-risk activities across different
monitors, such as rapid file modifications, suspicious process creations, and registry changes. Since ransomware often
try to trick the operating system into treating its processes as legitimate, DetectionEngine pays special attention
to events that involve known system processes exhibiting unusual behavior. These behaviors include spawning child
processes to hide malicious activity, making unauthorized registry changes, or engaging in network communications that
are atypical for system processes. Event correlation takes into account the context of each event, such as the process
involved, the time of occurrence. Since identifying each process by its unique process id may obfuscate the
detection of ransomware activity, the detection engine DetectionEngine maintains a mapping of process ids including
parent-child relationships to accurately track activities across related processes.
The DetectionEngine analyzes events within a sliding time window to capture rapid sequences of activities that may
indicate ransomware behavior.
The detection logic includes explicit correlation rules that define specific combinations of events that are indicative of ransomware activity. For example, a rule may specify that a high rate of file modifications combined with registry changes and network connections to known malicious IPs within a short time frame should trigger an alert.
Description: Triggers when a process attempts to encrypt files extremely quickly—often with multi-threaded or parallelized operations. Ransomware often performs high-speed encryption to maximize damage before detection. This rule detects abnormal write patterns, rapid file transformations, and unusual bursts of cryptographic API use.
IF: A process (PID=X) performs >10 high-entropy file writes to diverse file extensions (e.g., .docx, .pdf, .jpg,
.db) within a 60-second window.
AND: The file write rate exceeds a threshold of 10 files/second sustained for 5 seconds.
AND: Files span at least 3 different file extensions.
CORRELATION: Real-time file system monitor data for PID=X.
CONFIDENCE: CRITICAL
SCORE: 95
Description: Detects attempts to exfiltrate sensitive data before encryption, a hallmark of modern double-extortion ransomware groups. The rule monitors large outbound data transmissions combined with suspicious file access activity. If data leaves the system shortly before encryption spikes, the alert triggers.
IF: A process (PID=X) is detected uploading a large volume of data (e.g., >100MB in 5 minutes) to an external IP
not in a whitelist of cloud services.
AND: Within a subsequent window (e.g., 10 minutes), the same process (PID=X) initiates high-entropy file writes.
CORRELATION: Network egress monitoring -> File system encryption activity for the same PID=X.
CONFIDENCE: CRITICAL
SCORE: 90
Description: Identifies attempts to disable system recovery mechanisms such as shadow copies, backups, or Windows Recovery configurations. Ransomware frequently destroys backup options to ensure victims cannot restore data. This is often one of the earliest malicious steps taken before encryption begins.
IF: A process (PID=X) successfully executes a command to delete shadow copies (vssadmin delete shadows /all /quiet)
or modifies backup/recovery settings.
AND: Within the next 120 seconds, any process in its process tree (PID=X or its children) begins high-entropy file
writes.
CORRELATION: Process command-line monitoring -> Subsequent file activity from the process tree.
CONFIDENCE: HIGH
SCORE: 85
Description: Detects a two-stage ransomware attack where a small loader or dropper launches a more destructive encryption payload. The rule monitors suspicious parent-child process relationships, unpacking behavior, or unsigned binaries delivered shortly before encryption starts. This helps catch advanced staged attacks.
IF: A process (PID=X, e.g., a macro-enabled document) spawns a child process (PID=Y).
AND: The child process (PID=Y) has no digital signature or is signed by an unknown publisher.
AND: Within 30 seconds, the child process (PID=Y) begins high-entropy file writes (>50 files).
CORRELATION: Process ancestry -> Process image verification -> File system activity.
CONFIDENCE: HIGH
SCORE: 80
Description: Detects misuse of system-native tools such as PowerShell, certutil, vssadmin, wmic, or rundll32 for malicious purposes. Ransomware often avoids custom binaries and instead uses built-in tools to evade signature-based defenses. This rule is crucial for catching sophisticated "fileless" ransomware.
IF: A system utility process (powershell.exe, cmd.exe, wmic.exe, bcdedit.exe, certutil.exe, rundll32.exe) is
launched with a suspicious command-line (e.g., containing -EncodedCommand, Invoke-WebRequest, Delete Shadows,
shadowcopy).
AND: The parent process is not a known admin tool (e.g., not explorer.exe for user-initiated) or comes from a
suspicious path (e.g., TEMP).
AND: Within 60 seconds, a related process (child or sibling) exhibits high-entropy file writes.
CORRELATION: Process ancestry & command-line analysis -> File system activity.
CONFIDENCE: MEDIUM-HIGH (Prone to false positives, requires careful tuning).
SCORE: 70
Description: Catches malware disguising itself as legitimate system processes (e.g., svchost.exe, explorer.exe, lsass.exe, csrss.exe). This technique is used heavily by ransomware to avoid security tools and blend into normal process trees. The rule triggers on inconsistent file paths, mismatched signatures, or anomalous behavior for a supposedly trusted process.
IF: A process is observed with a name like lsass.exe, csrss.exe, or svchost.exe BUT is running from a non-standard
directory (e.g., C:\Users\Public\ or C:\Temp\).
AND: This process performs any of the following:
Opens a large number of files for writing (>10 file operations).
Makes calls to cryptographic libraries (e.g., bcrypt.dll, advapi32.dll for CryptEncrypt).
CORRELATION: Process image path analysis -> File I/O & API monitoring.
CONFIDENCE: HIGH
SCORE: 80
Description: Detects modifications to file timestamps intended to hide malicious activity or blend into legitimate file histories. Timestomping is used to obscure ransomware's initial execution point. This rule helps track stealth attempts during or after an attack.
IF: A process (PID=X) modifies the LastWriteTime or CreationTime of a large number of files it is also writing to.
AND: The file writes are high-entropy.
CORRELATION: File system metadata events -> File content events for the same PID=X.
CONFIDENCE: MEDIUM (Could be backup software, but highly suspicious in this context).
SCORE: 60
Description: Detects attempts to enumerate or mount network drives and shared folders. Many ransomware families propagate by scanning for accessible SMB shares before encryption. This rule identifies unusual network traversal patterns, excessive directory queries, or remote volume mappings.
IF: A process (PID=X) is observed accessing files on multiple network shares (>2 network paths accessed).
AND: The same process (PID=X) is writing high-entropy data to both local user directories and these network shares
simultaneously.
OR: Process performs >20 directory enumerations across network paths.
CORRELATION: File system monitor (path analysis) -> Entropy analysis -> Network activity for the same PID=X.
CONFIDENCE: HIGH
SCORE: 75
Description: Identifies rapid connection attempts across multiple ports or hosts—behavior consistent with reconnaissance and lateral movement. Ransomware often scans the network to locate additional systems to infect. This rule looks for bursty, sequential, or wide-range port probes.
IF: A process (PID=X) attempts connections to >10 different ports within 60 seconds.
OR: Process attempts connections to >5 different hosts within 60 seconds.
CORRELATION: Network connection monitoring -> Port/host diversity analysis for PID=X.
CONFIDENCE: HIGH
SCORE: 70
Description: Identifies extensive directory enumeration, file scanning, and metadata collection before encryption. Ransomware typically maps the file system to locate high-value data. This rule detects scanning behavior inconsistent with normal user or application activity.
IF: A process (PID=X) performs a high volume of FileOpen operations with Read access only, across >20 different
directories.
AND: Within 180 seconds, the same process (PID=X) or its child switches to Write access and begins high-entropy
writes.
CORRELATION: File system read pattern -> File system write pattern for the same PID=X.
CONFIDENCE: MEDIUM-HIGH
SCORE: 65
Description: Detects outbound connections to known malicious ports or suspicious external hosts commonly associated with ransomware command-and-control infrastructure. The rule analyzes unusual connection patterns, uncommon ports, and destination reputation. It's essential for catching ransomware communicating with operators.
IF: A process (PID=X) makes connections to suspicious ports (8080, 8443, 4444, 5555, 6666, 7777, 9999, 1337,
31337).
OR: Process makes >5 connections to the same suspicious port within 5 minutes.
CORRELATION: Network connection monitoring -> Port analysis -> Frequency analysis for PID=X.
CONFIDENCE: HIGH
SCORE: 85
Description: Detects repetitive, periodic communication to the same external IP or domain, a common behavior of beaconing back to a command server. Beaconing often occurs before encryption or while waiting for operator instructions. This rule highlights low-volume but high-frequency network activity.
IF: A process (PID=X) makes repeated connections to the same external IP/domain at regular intervals.
AND: Connection pattern shows periodicity (e.g., every 30-60 seconds) over at least 5 minutes.
CORRELATION: Network connection monitoring -> Temporal pattern analysis for PID=X.
CONFIDENCE: HIGH
SCORE: 75
Description: Triggers when large volumes of data are transmitted externally outside normal patterns. Ransomware actors often steal data before encryption to increase extortion leverage. This rule watches for unusual bandwidth spikes, rare destinations, and high-frequency file read-and-send patterns.
IF: A process (PID=X) transmits >20MB of data to external IP addresses within 5 minutes.
AND: Destination is not in approved cloud services whitelist.
CORRELATION: Network egress monitoring -> Data volume analysis for PID=X.
CONFIDENCE: HIGH
SCORE: 85
Description: Identifies attempts to connect to Tor nodes or initiate Tor client services. Ransomware frequently uses Tor for anonymized communication with operators or exfiltration servers. This rule covers both direct Tor protocol detection and known Tor gateway endpoints.
IF: A process (PID=X) attempts to connect to known Tor entry nodes or Tor network ports (9001, 9030, 9050, 9051).
OR: Process launches tor.exe or similar Tor client executable.
CORRELATION: Network connection monitoring -> Tor node database lookup for PID=X.
CONFIDENCE: HIGH
SCORE: 70
Description: Flags creation of ransom note files across the file system (e.g., README.txt, HOW_TO_RECOVER_FILES.html). The sudden appearance of multiple identical ransom messages is a strong indicator of active encryption. This rule often triggers late in the attack chain but confirms infection.
IF: A process (PID=X) creates files with known ransom note names (README.txt, HOW_TO_DECRYPT.html,
DECRYPT_INSTRUCTIONS.txt, etc.) in multiple directories (>3 locations).
AND: The same process (PID=X) is currently or was recently performing high-entropy file writes.
CORRELATION: File system creation events (specific filenames) -> Entropy analysis for the same PID=X.
CONFIDENCE: CRITICAL
SCORE: 95
Description: Detects unauthorized changes to desktop wallpaper, commonly used by ransomware to display ransom demands. Since few legitimate applications change wallpaper at scale, this is an important behavioral indicator during the extortion phase.
IF: A process (PID=X) modifies the Windows registry key for the desktop wallpaper
(HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper).
OR: Writes a file to the system wallpaper directory.
AND: The same process (PID=X) has a high risk score from other file/process activities.
CORRELATION: Registry monitoring -> File system activity -> Existing risk score for PID=X.
CONFIDENCE: HIGH
SCORE: 75
Description: Triggers when a trusted or signed parent process spawns an unsigned child binary, which may indicate compromise or process injection. This behavior is frequently used by malware loaders or droppers. It's a weak but valuable precursor indicator.
IF: A trusted/signed parent process (PID=X) spawns a child process (PID=Y).
AND: The child process (PID=Y) has no digital signature or is unsigned.
CORRELATION: Process ancestry -> Digital signature verification for parent and child.
CONFIDENCE: LOW
SCORE: 45
Description: Flags outbound connections to unclassified, low-reputation, or rare IP addresses. While this activity may be benign, it's often associated with malware callback attempts. Useful as an early anomaly indicator.
IF: A process (PID=X) makes outbound connections to IP addresses not in the known-good whitelist.
AND: Destination has low reputation score or is classified as suspicious.
CORRELATION: Network connection monitoring -> IP reputation database lookup for PID=X.
CONFIDENCE: LOW
SCORE: 40
Each correlation rule is assigned a weight based on its confidence level and potential impact. The DetectionEngine
calculates a cumulative score for each process based on the rules it triggers. If the score exceeds a predefined
threshold, an alert is generated.
Score Distribution by Rule:
-
Critical Indicators (Score 90-95):
- RFE-001: Rapid File Encryption (95)
- PEE-002: Pre-Encryption Exfiltration (90)
- RNC-012: Ransom Note Creation (95)
-
High Indicators (Score 70-85):
- RST-003: Recovery System Tampering (85)
- DPE-004: Dropper Payload Execution (80)
- PIS-005: Process Identity Spoofing (80)
- NSE-006: Network Share Enumeration (75)
- MCT-007: Malicious C2 Traffic (85)
- MPA-008: Multiport Probing Activity (70)
- RBT-009: Repeated Beacon Traffic (75)
- MDE-010: Mass Data Exfiltration (85)
- TCA-011: Tor Connection Activity (70)
- DWM-013: Desktop Wallpaper Modification (75)
-
Medium Indicators (Score 60-70):
- LTA-014: LOTL Tool Abuse (70)
- FRA-015: Filesystem Recon Activity (65)
- FTT-016: File Timestamp Tampering (60)
-
Low Indicators (Score 40-45):
- UCPS-017: Unsigned Child Process Spawn (45)
- SEC-018: Suspicious External Connection (40)
Severity Thresholds:
- Critical Alert: Cumulative score ≥ 90
- High Alert: Cumulative score ≥ 70
- Medium Alert: Cumulative score ≥ 50
- Low Alert: Cumulative score ≥ 30
| Rule ID | Rule Name | Confidence | Score | Primary Action | Secondary Action | Tertiary Action | Notes |
|---|---|---|---|---|---|---|---|
| RFE-001 | Rapid File Encryption | CRITICAL | 95 | Immediate Process Termination | Full Host Isolation | Memory dump & alert | No delay - maximum damage prevention |
| PEE-002 | Pre-Encryption Exfiltration | CRITICAL | 90 | Immediate Termination + Host Isolation | Block external IPs | Memory dump | Critical data theft detected |
| RST-003 | Recovery System Tampering | HIGH | 85 | Terminate Process Tree | Block network for process tree | Alert admin | Preemptive before encryption starts |
| DPE-004 | Dropper Payload Execution | HIGH | 80 | Terminate Child Process + Parent | Quarantine both executables | Block network | Stop the entire attack chain |
| PIS-005 | Process Identity Spoofing | HIGH | 80 | Immediate Termination | File quarantine | Block image from executing | Definite malicious process |
| NSE-006 | Network Share Enumeration | HIGH | 75 | Terminate Process | Block network shares for user | Alert admin | Prevent lateral encryption |
| MCT-007 | Malicious C2 Traffic | HIGH | 85 | Terminate Process | Block suspicious IPs/ports | Alert admin | Prevent C2 communication |
| MPA-008 | Multiport Probing Activity | HIGH | 70 | Terminate Process | Block network access | Alert admin | Stop network reconnaissance |
| RBT-009 | Repeated Beacon Traffic | HIGH | 75 | Terminate Process | Block destination IP | Alert admin | Stop command server communication |
| MDE-010 | Mass Data Exfiltration | HIGH | 85 | Immediate Termination + Host Isolation | Block external IPs | Memory dump | Critical data theft detected |
| TCA-011 | Tor Connection Activity | HIGH | 70 | Terminate Process | Block Tor nodes | Alert admin | Prevent anonymous communication |
| RNC-012 | Ransom Note Creation | CRITICAL | 95 | Terminate Process | Restore from backup if available | Full host scan | Attack is complete - damage control |
| DWM-013 | Desktop Wallpaper Modification | HIGH | 75 | Terminate Process | Session lock | Alert admin | User is about to see ransom demand |
| LTA-014 | LOTL Tool Abuse | MEDIUM-HIGH | 70 | Terminate Process | Log detailed command-line | Alert for review | Caution with system tools |
| FRA-015 | Filesystem Recon Activity | MEDIUM-HIGH | 65 | Alert & Monitor | Increase process monitoring | No termination yet | Wait for follow-on activity |
| FTT-016 | File Timestamp Tampering | MEDIUM | 60 | Terminate Process | Alert admin | Continue monitoring | Combined with other indicators |
| UCPS-017 | Unsigned Child Process Spawn | LOW | 45 | Alert Only | Monitor parent and child | Log for analysis | Weak indicator - needs correlation |
| SEC-018 | Suspicious External Connection | LOW | 40 | Alert Only | Log connection details | Monitor process | Early anomaly indicator |
Response Action Definitions:
- Immediate Process Termination: Kill the malicious process immediately using SIGTERM/SIGKILL
- Terminate Process Tree: Recursively terminate process and all children (bottom-up)
- Terminate Child Process + Parent: Kill both parent dropper and child payload processes
- Full Host Isolation: Disable all network interfaces completely
- Block Network Access: Add firewall rules to block all connections for specific process
- Block External IPs: Block connections to specific external IP addresses
- Block Suspicious IPs/Ports: Block access to known malicious ports and destinations
- Block Network Shares: Restrict user access to network shares
- Quarantine: Move executable files to quarantine directory for forensic analysis
- Memory Dump: Capture process memory before termination for investigation
- Session Lock: Lock user session to prevent further interaction
- Alert Admin: Send high-priority notification to security team
- Alert & Monitor: Log alert and increase monitoring without termination
- Alert Only: Generate alert without taking action (for low-confidence rules)