forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsamsam.yml
More file actions
100 lines (95 loc) · 4.54 KB
/
samsam.yml
File metadata and controls
100 lines (95 loc) · 4.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
category:
- Malware
channel: ESCU
creation_date: '2018-12-13'
description: Leverage searches that allow you to detect and investigate unusual activities
that might relate to the SamSam ransomware, including looking for file writes associated
with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware
extensions, suspicious psexec use, and more.
detections:
- detection_id: b89919ed-ee5f-492c-b139-95dbb162039e
name: Deleting Shadow Copies
type: splunk
- detection_id: fdb0f805-74e4-4539-8c00-618927333aae
name: Spike in File Writes
type: splunk
- detection_id: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec
name: Common Ransomware Extensions
type: splunk
- detection_id: ada0f478-84a8-4641-a3f1-d82362d6bd71
name: Common Ransomware Notes
type: splunk
- detection_id: a51bfe1a-94f0-48cc-b4e4-b6ae50145893
name: Prohibited Software On Endpoint
type: splunk
- detection_id: b89919ed-fe5f-492c-b139-151xb162040e
name: Detect PsExec With accepteula Flag
type: splunk
- detection_id: 272b8407-842d-4b3d-bead-a704584003d3
name: Remote Desktop Network Traffic
type: splunk
- detection_id: 104658f4-afdc-499e-9719-17243f982681
name: Detect attackers scanning for vulnerable JBoss servers
type: splunk
- detection_id: c8bff7a4-11ea-4416-a27d-c5bca472913d
name: Detect malicious requests to exploit JBoss servers
type: splunk
- detection_id: a98727cc-286b-4ff2-b898-41df64695923
name: Remote Desktop Network Bruteforce
type: splunk
- detection_id: 02c6cfc2-ae66-4735-bfc7-6291da834cbf
name: File with Samsam Extension
type: splunk
- detection_id: 69c12d59-d951-431e-ab77-ec426b8d65e6
name: Samsam Test File Write
type: splunk
- detection_id: 503d17cb-9eab-4cf8-a20e-01d5c6987ae3
name: Batch File Write to System32
type: splunk
id: c4b89506-fbcf-4cb7-bfd6-527e54789604
maintainers:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
modification_date: '2018-12-13'
name: SamSam Ransomware
narrative: 'The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt)
was launched in 2015 by a group of Iranian threat actors. The malicious software
has affected and continues to affect thousands of victims and has raised almost
$6M in ransom.\
Although categorized under the heading of ransomware, SamSam campaigns have some
importance distinguishing characteristics. Most notable is the fact that conventional
ransomware is a numbers game. Perpetrators use a "spray-and-pray" approach with
phishing campaigns or other mechanisms, charging a small ransom (typically under
$1,000). The goal is to find a large number of victims willing to pay these mini-ransoms,
adding up to a lucrative payday. They use relatively simple methods for infecting
systems.\
SamSam attacks are different beasts. They have become progressively more targeted
and skillful than typical ransomware attacks. First, malicious actors break into
a victim''s network, surveil it, then run the malware manually. The attacks are
tailored to cause maximum damage and the threat actors usually demand amounts in
the tens of thousands of dollars.\
In a typical attack on one large healthcare organization in 2018, the company ended
up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access
to the company''s files was restored within two hours of paying the sum.\
According to Sophos, SamSam previously leveraged RDP to gain access to targeted
networks via brute force. SamSam is not spread automatically, like other malware.
It requires skill because it forces the attacker to adapt their tactics to the individual
environment. Next, the actors escalate their privileges to admin level. They scan
the networks for worthy targets, using conventional tools, such as PsExec or PaExec,
to deploy/execute, quickly encrypting files.\
This Analytic Story includes searches designed to help detect and investigate signs
of the SamSam ransomware, such as the creation of fileswrites to system32, writes
with tell-tale extensions, batch files written to system32, and evidence of brute-force
attacks via RDP.'
original_authors:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
references:
- https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/
- https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/
- https://thehackernews.com/2018/07/samsam-ransomware-attacks.html
spec_version: 2
usecase: Advanced Threat Detection
version: '1.0'