-
Notifications
You must be signed in to change notification settings - Fork 353
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1383 from splunk/darkside
Darkside Ransomware
- Loading branch information
Showing
23 changed files
with
482 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
name: CMLUA Or CMSTPLUA UAC Bypass | ||
id: f87b5062-b405-11eb-a889-acde48001122 | ||
version: 1 | ||
date: '2021-05-13' | ||
author: Teoderick Contreras, Splunk | ||
type: batch | ||
datamodel: | ||
- Endpoint | ||
description: This analytic detects a potential process using COM Object like CMLUA | ||
or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative | ||
privileges to its running process. | ||
search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", | ||
"*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", | ||
"*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime | ||
by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | ||
| `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`' | ||
how_to_implement: To successfully implement this search, you need to be ingesting | ||
logs with the process name and imageloaded executions from your endpoints. If you | ||
are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. | ||
known_false_positives: Legitimate windows application that are not on the list loading | ||
this dll. Filter as needed. | ||
references: | ||
- https://attack.mitre.org/techniques/T1218/003/ | ||
tags: | ||
analytic_story: | ||
- DarkSide Ransomware | ||
- Ransomware | ||
kill_chain_phases: | ||
- Exploitation | ||
mitre_attack_id: | ||
- T1218.003 | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- _time | ||
- Image | ||
- ImageLoaded | ||
- process_name | ||
- Computer | ||
- EventCode | ||
- Signed | ||
- ProcessId | ||
security_domain: endpoint | ||
automated_detection_testing: passed | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
name: Detect RClone Command-Line Usage | ||
id: 32e0baea-b3f1-11eb-a2ce-acde48001122 | ||
version: 1 | ||
date: '2021-05-13' | ||
author: Michael Haag, Splunk | ||
type: batch | ||
datamodel: | ||
- Endpoint | ||
description: This analytic identifies commonly used command-line arguments used by | ||
`rclone.exe` to initiate a file transfer. Some arguments were negated as they are | ||
specific to the configuration used by adversaries. In particular, an adversary may | ||
list the files or directories of the remote file share using `ls` or `lsd`, which | ||
is not indicative of malicious behavior. During triage, at this stage of a ransomware | ||
event, exfiltration is about to occur or has already. Isolate the endpoint and continue | ||
investigating by review file modifications and parallel processes. | ||
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) | ||
as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*copy*", | ||
"*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*", | ||
"*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*") by | ||
Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id | ||
Processes.parent_process_id | ||
| `drop_dm_object_name(Processes)` | ||
| `security_content_ctime(firstTime)` | ||
| `security_content_ctime(lastTime)` | ||
| `detect_rclone_command_line_usage_filter`' | ||
how_to_implement: To successfully implement this search you need to be ingesting information | ||
on process that include the name of the process responsible for the changes from | ||
your endpoints into the `Endpoint` datamodel in the `Processes` node. | ||
known_false_positives: There is potential for false positives as these arguments may | ||
be used by other applications. Filter or tune the analytic as needed. | ||
references: | ||
- https://redcanary.com/blog/rclone-mega-extortion/ | ||
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html | ||
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ | ||
tags: | ||
analytic_story: | ||
- DarkSide Ransomware | ||
- Ransomware | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log | ||
kill_chain_phases: | ||
- Exfiltration | ||
mitre_attack_id: | ||
- T1020 | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- _time | ||
- Processes.dest | ||
- Processes.user | ||
- Processes.parent_process | ||
- Processes.process_name | ||
- Processes.process | ||
- Processes.process_id | ||
- Processes.parent_process_id | ||
security_domain: endpoint | ||
automated_detection_testing: passed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
name: Detect Renamed RClone | ||
id: 6dca1124-b3ec-11eb-9328-acde48001122 | ||
version: 1 | ||
date: '2021-05-13' | ||
author: Michael Haag, Splunk | ||
type: batch | ||
datamodel: [] | ||
description: The following analytic identifies the usage of `rclone.exe`, renamed, | ||
being used to exfiltrate data to a remote destination. RClone has been used by multiple | ||
ransomware groups to exfiltrate data. In many instances, it will be downloaded from | ||
the legitimate site and executed accordingly. During triage, isolate the endpoint | ||
and begin to review parallel processes for additional behavior. At this stage, the | ||
adversary may have staged data to be exfiltrated. | ||
search: '`sysmon` EventID=1 OriginalFileName=rclone.exe NOT process_name=rclone.exe | ||
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, User, | ||
parent_process_name, process_name, OriginalFileName, process_path, CommandLine | | ||
rename Computer as dest | ||
| `security_content_ctime(firstTime)` | ||
| `security_content_ctime(lastTime)` | ||
| `detect_renamed_rclone_filter`' | ||
how_to_implement: To successfully implement this search, you need to be ingesting | ||
logs with the process name, parent process, and command-line executions from your | ||
endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the | ||
Sysmon TA. | ||
known_false_positives: False positives should be limited as this analytic identifies | ||
renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business | ||
use case. | ||
references: | ||
- https://redcanary.com/blog/rclone-mega-extortion/ | ||
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html | ||
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ | ||
tags: | ||
analytic_story: | ||
- DarkSide Ransomware | ||
- Ransomware | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log | ||
kill_chain_phases: | ||
- Exfiltration | ||
mitre_attack_id: | ||
- T1020 | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- _time | ||
- OriginalFileName | ||
- process_name | ||
- process_path | ||
- CommandLine | ||
- dest | ||
security_domain: endpoint | ||
automated_detection_testing: passed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
name: Extract SAM from Registry | ||
id: 8bbb7d58-b360-11eb-ba21-acde48001122 | ||
version: 1 | ||
date: '2021-05-12' | ||
author: Michael Haag, Splunk | ||
type: batch | ||
datamodel: | ||
- Endpoint | ||
description: The following analytic identifies the use of `reg.exe` exporting Windows | ||
Registry hives containing credentials. Adversaries may use this technique to export | ||
registry hives for offline credential access attacks. Typically found executed from | ||
a untrusted process or script. Upon execution, a file will be written to disk. | ||
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) | ||
as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg.exe | ||
(Processes.process=*save* OR Processes.process=*export*) AND (Processes.process=*sam* | ||
OR Processes.process=*system* OR Processes.process=*security*) by Processes.dest | ||
Processes.user Processes.parent_process Processes.process_name Processes.process | ||
Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | ||
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extract_sam_from_registry_filter`' | ||
how_to_implement: To successfully implement this search you need to be ingesting information | ||
on process that include the name of the process responsible for the changes from | ||
your endpoints into the `Endpoint` datamodel in the `Processes` node. | ||
known_false_positives: It is possible some agent based products will generate false | ||
positives. Filter as needed. | ||
references: | ||
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html | ||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md | ||
tags: | ||
analytic_story: | ||
- DarkSide Ransomware | ||
- Credential Dumping | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log | ||
kill_chain_phases: | ||
- Exploitation | ||
mitre_attack_id: | ||
- T1003.002 | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- _time | ||
- Processes.dest | ||
- Processes.user | ||
- Processes.parent_process | ||
- Processes.process_name | ||
- Processes.process | ||
- Processes.process_id | ||
- Processes.parent_process_id | ||
security_domain: endpoint | ||
automated_detection_testing: passed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
name: SLUI RunAs Elevated | ||
id: 8d124810-b3e4-11eb-96c7-acde48001122 | ||
version: 1 | ||
date: '2021-05-13' | ||
author: Michael Haag, Splunk | ||
type: batch | ||
datamodel: | ||
- Endpoint | ||
description: The following analytic identifies the Microsoft Software Licensing User | ||
Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This | ||
particular bypass utilizes a registry key/value. Identified by two sources, the | ||
registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. | ||
To simulate this behavior, multiple POC are available. The analytic identifies the | ||
use of `runas` by `slui.exe`. | ||
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) | ||
as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe | ||
(Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user | ||
Processes.parent_process Processes.process_name Processes.process Processes.process_id | ||
Processes.parent_process_id | ||
| `drop_dm_object_name(Processes)` | ||
| `security_content_ctime(firstTime)` | ||
| `security_content_ctime(lastTime)` | ||
| `slui_runas_elevated_filter`' | ||
how_to_implement: To successfully implement this search you need to be ingesting information | ||
on process that include the name of the process responsible for the changes from | ||
your endpoints into the `Endpoint` datamodel in the `Processes` node. | ||
known_false_positives: Limited false positives should be present as this is not commonly | ||
used by legitimate applications. | ||
references: | ||
- https://www.exploit-db.com/exploits/46998 | ||
- https://medium.com/@mattharr0ey/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b | ||
- https://gist.github.com/r00t-3xp10it/0c92cd554d3156fd74f6c25660ccc466 | ||
- https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/ | ||
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html | ||
tags: | ||
analytic_story: | ||
- DarkSide Ransomware | ||
- Windows Defense Evasion Tactics | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log | ||
kill_chain_phases: | ||
- Exploitation | ||
mitre_attack_id: | ||
- T1548.002 | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- _time | ||
- Processes.dest | ||
- Processes.user | ||
- Processes.parent_process | ||
- Processes.process_name | ||
- Processes.process | ||
- Processes.process_id | ||
- Processes.parent_process_id | ||
security_domain: endpoint | ||
automated_detection_testing: passed |
Oops, something went wrong.