Branch was auto-updated.

splunk · Sep 4, 2024 · 32ae716 · 32ae716
2 parents 97afa5a + 74301e8
commit 32ae716
Show file tree

Hide file tree

Showing 29 changed files with 58 additions and 5 deletions.
diff --git a/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml b/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml
@@ -10,11 +10,11 @@ description: This search looks for specific authentication events from the Windo
 data_source:
 - Windows Event Log Security 4624
 search: '`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName="ANONYMOUS LOGON") OR (Logon_Type=9 Logon_Process=seclogo) 
-| fillnull 
-| stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest 
-| `security_content_ctime(firstTime)`
-| `security_content_ctime(lastTime)` 
-| `detect_activity_related_to_pass_the_hash_attacks_filter`'
+  | fillnull 
+  | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` 
+  | `detect_activity_related_to_pass_the_hash_attacks_filter`'
 how_to_implement: To successfully implement this search, you must ingest your Windows
   Security Event logs and leverage the latest TA for Windows.
 known_false_positives: Legitimate logon activity by authorized NTLM systems may be
@@ -23,6 +23,7 @@ references: []
 tags:
   analytic_story:
   - Active Directory Lateral Movement
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 70
   impact: 70

diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml
@@ -43,6 +43,7 @@ tags:
   - BlackByte Ransomware
   - Cobalt Strike
   - Graceful Wipe Out Attack
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 80
   impact: 80

diff --git a/detections/endpoint/create_remote_thread_into_lsass.yml b/detections/endpoint/create_remote_thread_into_lsass.yml
@@ -31,6 +31,7 @@ references:
 tags:
   analytic_story:
   - Credential Dumping
+  - BlackSuit Ransomware
   asset_type: Windows
   confidence: 90
   impact: 90

diff --git a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml
@@ -35,6 +35,7 @@ tags:
   - Detect Zerologon Attack
   - CISA AA23-347A
   - Credential Dumping
+  - BlackSuit Ransomware
   asset_type: Windows
   confidence: 100
   impact: 80

diff --git a/detections/endpoint/detect_sharphound_command_line_arguments.yml b/detections/endpoint/detect_sharphound_command_line_arguments.yml
@@ -43,6 +43,7 @@ tags:
   analytic_story:
   - Windows Discovery Techniques
   - Ransomware
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 80
   impact: 30

diff --git a/detections/endpoint/detect_sharphound_file_modifications.yml b/detections/endpoint/detect_sharphound_file_modifications.yml
@@ -37,6 +37,7 @@ tags:
   analytic_story:
   - Windows Discovery Techniques
   - Ransomware
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 80
   impact: 30

diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml
@@ -32,6 +32,7 @@ tags:
   analytic_story:
   - CISA AA23-347A
   - Active Directory Kerberos Attacks
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 90
   impact: 60

diff --git a/detections/endpoint/domain_controller_discovery_with_nltest.yml b/detections/endpoint/domain_controller_discovery_with_nltest.yml
@@ -39,6 +39,7 @@ tags:
   - Active Directory Discovery
   - CISA AA23-347A
   - Rhysida Ransomware
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 70
   impact: 30

diff --git a/detections/endpoint/elevated_group_discovery_with_net.yml b/detections/endpoint/elevated_group_discovery_with_net.yml
@@ -47,6 +47,7 @@ tags:
   - Active Directory Discovery
   - Volt Typhoon
   - Rhysida Ransomware
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 70
   impact: 30

diff --git a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml
@@ -42,6 +42,7 @@ tags:
   - Data Destruction
   - Hermetic Wiper
   - Trickbot
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 100
   impact: 70

diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml
@@ -29,6 +29,7 @@ references:
 tags:
   analytic_story:
   - Active Directory Kerberos Attacks
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 90
   impact: 50

diff --git a/detections/endpoint/randomly_generated_windows_service_name.yml b/detections/endpoint/randomly_generated_windows_service_name.yml
@@ -27,6 +27,7 @@ references:
 tags:
   analytic_story:
   - Active Directory Lateral Movement
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 50
   impact: 90

diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml
@@ -77,6 +77,7 @@ tags:
   - CISA AA23-347A
   - Snake Keylogger
   - MoonPeak
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 95
   impact: 80

diff --git a/detections/endpoint/rubeus_command_line_parameters.yml b/detections/endpoint/rubeus_command_line_parameters.yml
@@ -49,6 +49,7 @@ tags:
   - Active Directory Privilege Escalation
   - CISA AA23-347A
   - Active Directory Kerberos Attacks
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 60
   impact: 60

diff --git a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml
@@ -37,6 +37,7 @@ tags:
   analytic_story:
   - CISA AA23-347A
   - Active Directory Kerberos Attacks
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 60
   impact: 60

diff --git a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml
@@ -48,6 +48,7 @@ tags:
   - BlackByte Ransomware
   - PrintNightmare CVE-2021-34527
   - Graceful Wipe Out Attack
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 100
   cve:

diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml
@@ -41,6 +41,7 @@ tags:
   analytic_story:
   - Windows Discovery Techniques
   - Gozi Malware
+  - BlackSuit Ransomware
   asset_type: Windows
   confidence: 50
   impact: 30

diff --git a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml
@@ -40,6 +40,7 @@ references:
 tags:
   analytic_story:
   - Active Directory Kerberos Attacks
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 60
   impact: 60

diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml
@@ -35,6 +35,7 @@ references:
 tags:
   analytic_story:
   - Active Directory Discovery
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 50
   impact: 50

diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml
@@ -40,6 +40,7 @@ references:
 tags:
   analytic_story:
   - Active Directory Discovery
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 50
   impact: 80

diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml
@@ -47,6 +47,7 @@ tags:
   - IcedID
   - NOBELIUM Group
   - Graceful Wipe Out Attack
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 50
   impact: 50

diff --git a/detections/endpoint/windows_driver_load_non_standard_path.yml b/detections/endpoint/windows_driver_load_non_standard_path.yml
@@ -35,6 +35,7 @@ tags:
   - CISA AA22-320A
   - AgentTesla
   - BlackByte Ransomware
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 60
   impact: 60

diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml
@@ -56,6 +56,7 @@ references:
 tags:
   analytic_story:
   - Windows Privilege Escalation
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 40
   impact: 100

diff --git a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml
@@ -35,6 +35,7 @@ references:
 tags:
   analytic_story:
   - Windows Privilege Escalation
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 80
   impact: 100

diff --git a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml
@@ -50,6 +50,7 @@ references:
 tags:
   analytic_story:
   - Windows Privilege Escalation
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 80
   impact: 100

diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml
@@ -40,6 +40,7 @@ tags:
   analytic_story:
   - Active Directory Lateral Movement
   - CISA AA23-347A
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 50
   impact: 50

diff --git a/detections/endpoint/windows_remote_services_rdp_enable.yml b/detections/endpoint/windows_remote_services_rdp_enable.yml
@@ -33,6 +33,7 @@ references:
 tags:
   analytic_story:
   - Azorult
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 70
   impact: 70

diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml
@@ -44,6 +44,7 @@ tags:
   - Data Destruction
   - Amadey
   - Scheduled Tasks
+  - BlackSuit Ransomware
   asset_type: Endpoint
   confidence: 100
   impact: 80

diff --git a/stories/blacksuit_ransomware.yml b/stories/blacksuit_ransomware.yml
@@ -0,0 +1,25 @@
+name: BlackSuit Ransomware
+id: 4c7bef12-679f-433c-92dd-d9feccc1432b
+version: 1
+date: '2024-08-26'
+author: Michael Haag, Splunk
+description: This analytic story covers the tactics, techniques, and procedures (TTPs) associated with BlackSuit ransomware, as observed in a December 2023 intrusion. The story encompasses the full attack lifecycle, from initial access via Cobalt Strike beacons to lateral movement, credential access, and ultimately the deployment of BlackSuit ransomware. It aims to help security teams detect and respond to similar attacks by focusing on key behaviors such as Cobalt Strike activity, use of tools like ADFind and Sharphound, and the final ransomware deployment phase.
+narrative: In December 2023, a sophisticated intrusion culminating in the deployment of BlackSuit ransomware was observed. The attack began with the execution of a Cobalt Strike beacon, which initially communicated through CloudFlare to conceal the true C2 server. The threat actors leveraged various tools throughout the intrusion, including Sharphound, Rubeus, SystemBC, and ADFind, alongside built-in Windows utilities.
+
+  The attackers conducted extensive reconnaissance and lateral movement, using techniques such as AS-REP Roasting, Kerberoasting, and accessing LSASS memory for credential theft. They deployed multiple Cobalt Strike beacons across the environment and utilized RDP for further lateral movement. SystemBC was employed on a file server, providing additional command and control capabilities and proxy functionality.
+
+  After a period of intermittent activity spanning 15 days, the threat actors executed their final objective. They used ADFind for additional discovery, ran the Get-DataInfo.ps1 PowerShell script to gather system information, and ultimately deployed the BlackSuit ransomware. The ransomware binary (qwe.exe) was distributed via SMB to remote systems through admin shares, and executed manually via RDP sessions. Upon execution, the ransomware deleted shadow copies before encrypting files across the compromised systems.
+
+  This analytic story provides detections for various stages of this attack, including Cobalt Strike beacon activity, use of reconnaissance tools, suspicious PowerShell executions, and indicators of ransomware deployment. By monitoring for these behaviors, security teams can potentially detect and mitigate BlackSuit ransomware attacks before they reach their final, destructive stage.
+
+references:
+  - https://thedfirreport.com/2024/08/26/blacksuit-ransomware/
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection
+  cve: []