security-content/detections/common_ransomware_extensions.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
asset_type: Endpoint
confidence: high
creation_date: '2017-08-21'
data_metadata:
  data_models:
    - Endpoint
  data_source:
    - Endpoint Intel
  providing_technologies:
    - Carbon Black Response
    - CrowdStrike Falcon
    - Sysmon
description: The search looks for file modifications with extensions commonly used
  by Ransomware
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: dest, file_name
        rule_description: A file modification was detected on $dest$ with an extension
          commonly used by ransomware.
        rule_title: Ransomware Extension detected on $dest$
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 80
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as
        lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path)
        as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name |
        `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`|
        rex field=file_name "(?<file_extension>\.[^\.]+)$" | `ransomware_extensions`'
      suppress:
        suppress_fields: dest,file_name
        suppress_period: 14400s
eli5: This search looks at file modifications across your hosts and identifies files
  with extensions that are commonly associated with the encrypted files generated
  by ransomware.
entities:
  - dest
how_to_implement: 'You must be ingesting data that records the filesystem activity
  from your hosts to populate the Endpoint file-system data model node. If you are
  using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which
  you want to collect data.\

  This search produces fields (`query`,`query_length`,`count`) that are not yet supported
  by ES Incident Review and therefore cannot be viewed when a notable event is raised.
  These fields contribute additional context to the notable. To see the additional
  metadata, add the following fields, if not already present, to Incident Review -
  Event Attributes (Configure > Incident Management > Incident Review Settings > Add
  New Entry):\\n1. **Label:** Name, **Field:** Name\

  1. \

  1. **Label:** File Extension, **Field:** file_extension\

  Detailed documentation on how to create a new field within Incident Review may be
  found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`'
id: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: d98675ed-da43-4a7e-96a7-eeca3232ba8e
    name: Get Update Logs For Endpoint
    type: splunk
  - id: df7a7f50-30f2-4cde-8448-69d2d5f9b3c5
    name: Get Vulnerability Logs For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d44
    name: Get Backup Logs For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd22
    name: Investigate Web Activity From Host
    type: splunk
known_false_positives: It is possible for a legitimate file with these extensions
  to be created. If this is a true ransomware attack, there will be a large number
  of files created with these extensions.
maintainers:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
mappings:
  cis20:
    - CIS 8
  kill_chain_phases:
    - Actions on Objectives
  mitre_attack: []
  nist:
    - PR.PT
    - DE.CM
modification_date: '2018-11-15'
name: Common Ransomware Extensions
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '2.0'