forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcommon_ransomware_notes.yml
More file actions
108 lines (108 loc) · 3.74 KB
/
common_ransomware_notes.yml
File metadata and controls
108 lines (108 loc) · 3.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
asset_type: Endpoint
confidence: high
creation_date: '2017-08-21'
data_metadata:
data_models:
- Endpoint
data_source:
- Endpoint Intel
providing_technologies:
- Carbon Black Response
- CrowdStrike Falcon
- Sysmon
description: The search looks for files created with names matching those typically
used in ransomware notes that tell the victim how to get their data back.
detect:
splunk:
correlation_rule:
notable:
nes_fields: dest, file_name
rule_description: A file modification associated with a ransomware victim
notification file detected on $dest$
rule_title: Ransomware Note File detected on $dest$
risk:
risk_object: dest
risk_object_type:
- system
risk_score: 80
schedule:
cron_schedule: 0 * * * *
earliest_time: -70m@m
latest_time: -10m@m
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as
lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path)
as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name |
`drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`|`ransomware_notes`'
suppress:
suppress_fields: dest,file_name
suppress_period: 14400s
eli5: This search looks at file modifications in the Change Analysis data model. It
checks modified file names against an included lookup file, which contains the names
of note files left behind by ransomware (to inform the victim how they can pay the
ransom and retrieve their files). The search returns a list of files with matching
names.
entities:
- dest
how_to_implement: You must be ingesting data that records file-system activity from
your hosts to populate the Endpoint Filesystem data-model node. This is typically
populated via endpoint detection-and-response products, such as Carbon Black, or
via other endpoint data sources, such as Sysmon. The data used for this search is
typically generated via logs that report file-system reads and writes.
id: ada0f478-84a8-4641-a3f1-d82362d6bd71
investigations:
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
name: Get Authentication Logs For Endpoint
type: splunk
- id: d98675ed-da43-4a7e-96a7-eeca3232ba8e
name: Get Update Logs For Endpoint
type: splunk
- id: df7a7f50-30f2-4cde-8448-69d2d5f9b3c5
name: Get Vulnerability Logs For Endpoint
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
name: Get User Information from Identity Table
type: splunk
- id: fdcfb369-1725-4c24-824a-22972d7f0d55
name: Get Risk Modifiers For User
type: splunk
- id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
name: Get Notable History
type: splunk
- id: fdcfb369-1725-4c24-824a-22972d7f0d65
name: Get Risk Modifiers For Endpoint
type: splunk
- id: fdcfb369-1725-4c24-824a-22972d7f0d44
name: Get Backup Logs For Endpoint
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd22
name: Investigate Web Activity From Host
type: splunk
known_false_positives: It's possible that a legitimate file could be created with
the same name used by ransomware note files.
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
mappings:
cis20:
- CIS 8
kill_chain_phases:
- Actions on Objectives
mitre_attack: []
nist:
- PR.PT
- DE.CM
modification_date: '2018-11-15'
name: Common Ransomware Notes
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '2.0'