diff --git a/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml b/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml index 9b8abca9a6..a2496efcd6 100644 --- a/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml +++ b/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml @@ -10,11 +10,11 @@ description: This search looks for specific authentication events from the Windo data_source: - Windows Event Log Security 4624 search: '`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName="ANONYMOUS LOGON") OR (Logon_Type=9 Logon_Process=seclogo) -| fillnull -| stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `detect_activity_related_to_pass_the_hash_attacks_filter`' + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `detect_activity_related_to_pass_the_hash_attacks_filter`' how_to_implement: To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows. known_false_positives: Legitimate logon activity by authorized NTLM systems may be @@ -23,6 +23,7 @@ references: [] tags: analytic_story: - Active Directory Lateral Movement + - BlackSuit Ransomware asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index 8244563d1b..85d7f4a5c7 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -43,6 +43,7 @@ tags: - BlackByte Ransomware - Cobalt Strike - Graceful Wipe Out Attack + - BlackSuit Ransomware asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/create_remote_thread_into_lsass.yml b/detections/endpoint/create_remote_thread_into_lsass.yml index ea1084f575..a4c32abbf2 100644 --- a/detections/endpoint/create_remote_thread_into_lsass.yml +++ b/detections/endpoint/create_remote_thread_into_lsass.yml @@ -31,6 +31,7 @@ references: tags: analytic_story: - Credential Dumping + - BlackSuit Ransomware asset_type: Windows confidence: 90 impact: 90 diff --git a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml index 77f0b0e806..9d50d54086 100644 --- a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml +++ b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml @@ -35,6 +35,7 @@ tags: - Detect Zerologon Attack - CISA AA23-347A - Credential Dumping + - BlackSuit Ransomware asset_type: Windows confidence: 100 impact: 80 diff --git a/detections/endpoint/detect_sharphound_command_line_arguments.yml b/detections/endpoint/detect_sharphound_command_line_arguments.yml index 51d16a6f89..e604f18487 100644 --- a/detections/endpoint/detect_sharphound_command_line_arguments.yml +++ b/detections/endpoint/detect_sharphound_command_line_arguments.yml @@ -43,6 +43,7 @@ tags: analytic_story: - Windows Discovery Techniques - Ransomware + - BlackSuit Ransomware asset_type: Endpoint confidence: 80 impact: 30 diff --git a/detections/endpoint/detect_sharphound_file_modifications.yml b/detections/endpoint/detect_sharphound_file_modifications.yml index 718559e461..9baff85c8e 100644 --- a/detections/endpoint/detect_sharphound_file_modifications.yml +++ b/detections/endpoint/detect_sharphound_file_modifications.yml @@ -37,6 +37,7 @@ tags: analytic_story: - Windows Discovery Techniques - Ransomware + - BlackSuit Ransomware asset_type: Endpoint confidence: 80 impact: 30 diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml index fc69094941..8aeb4e05b9 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml @@ -32,6 +32,7 @@ tags: analytic_story: - CISA AA23-347A - Active Directory Kerberos Attacks + - BlackSuit Ransomware asset_type: Endpoint confidence: 90 impact: 60 diff --git a/detections/endpoint/domain_controller_discovery_with_nltest.yml b/detections/endpoint/domain_controller_discovery_with_nltest.yml index 6a1dd7d0e5..1bc0a5d35c 100644 --- a/detections/endpoint/domain_controller_discovery_with_nltest.yml +++ b/detections/endpoint/domain_controller_discovery_with_nltest.yml @@ -39,6 +39,7 @@ tags: - Active Directory Discovery - CISA AA23-347A - Rhysida Ransomware + - BlackSuit Ransomware asset_type: Endpoint confidence: 70 impact: 30 diff --git a/detections/endpoint/elevated_group_discovery_with_net.yml b/detections/endpoint/elevated_group_discovery_with_net.yml index f667778adf..9459acf2cb 100644 --- a/detections/endpoint/elevated_group_discovery_with_net.yml +++ b/detections/endpoint/elevated_group_discovery_with_net.yml @@ -47,6 +47,7 @@ tags: - Active Directory Discovery - Volt Typhoon - Rhysida Ransomware + - BlackSuit Ransomware asset_type: Endpoint confidence: 70 impact: 30 diff --git a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml index ac28c68fd7..ee4b3e4655 100644 --- a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml +++ b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml @@ -42,6 +42,7 @@ tags: - Data Destruction - Hermetic Wiper - Trickbot + - BlackSuit Ransomware asset_type: Endpoint confidence: 100 impact: 70 diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml index d66cccde9d..a242036c87 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml @@ -29,6 +29,7 @@ references: tags: analytic_story: - Active Directory Kerberos Attacks + - BlackSuit Ransomware asset_type: Endpoint confidence: 90 impact: 50 diff --git a/detections/endpoint/randomly_generated_windows_service_name.yml b/detections/endpoint/randomly_generated_windows_service_name.yml index 386eae5efc..7357fda8ea 100644 --- a/detections/endpoint/randomly_generated_windows_service_name.yml +++ b/detections/endpoint/randomly_generated_windows_service_name.yml @@ -27,6 +27,7 @@ references: tags: analytic_story: - Active Directory Lateral Movement + - BlackSuit Ransomware asset_type: Endpoint confidence: 50 impact: 90 diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index c1bfa0cf48..6ee57a7b99 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -77,6 +77,7 @@ tags: - CISA AA23-347A - Snake Keylogger - MoonPeak + - BlackSuit Ransomware asset_type: Endpoint confidence: 95 impact: 80 diff --git a/detections/endpoint/rubeus_command_line_parameters.yml b/detections/endpoint/rubeus_command_line_parameters.yml index 73c9ac3726..507446ecb0 100644 --- a/detections/endpoint/rubeus_command_line_parameters.yml +++ b/detections/endpoint/rubeus_command_line_parameters.yml @@ -49,6 +49,7 @@ tags: - Active Directory Privilege Escalation - CISA AA23-347A - Active Directory Kerberos Attacks + - BlackSuit Ransomware asset_type: Endpoint confidence: 60 impact: 60 diff --git a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml index 9f2a73434f..bb376bc6b4 100644 --- a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml +++ b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml @@ -37,6 +37,7 @@ tags: analytic_story: - CISA AA23-347A - Active Directory Kerberos Attacks + - BlackSuit Ransomware asset_type: Endpoint confidence: 60 impact: 60 diff --git a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml index f1fe25961f..5463fe8080 100644 --- a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml @@ -48,6 +48,7 @@ tags: - BlackByte Ransomware - PrintNightmare CVE-2021-34527 - Graceful Wipe Out Attack + - BlackSuit Ransomware asset_type: Endpoint confidence: 100 cve: diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index d2fcf549d3..4c6dcab962 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -41,6 +41,7 @@ tags: analytic_story: - Windows Discovery Techniques - Gozi Malware + - BlackSuit Ransomware asset_type: Windows confidence: 50 impact: 30 diff --git a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml index edc7472aa2..acb78c8790 100644 --- a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml +++ b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml @@ -40,6 +40,7 @@ references: tags: analytic_story: - Active Directory Kerberos Attacks + - BlackSuit Ransomware asset_type: Endpoint confidence: 60 impact: 60 diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml index af65815e95..dc10897e5f 100644 --- a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml +++ b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml @@ -35,6 +35,7 @@ references: tags: analytic_story: - Active Directory Discovery + - BlackSuit Ransomware asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml index fde48019ed..4d4460ae65 100644 --- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -40,6 +40,7 @@ references: tags: analytic_story: - Active Directory Discovery + - BlackSuit Ransomware asset_type: Endpoint confidence: 50 impact: 80 diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml index 396269cb15..2b826ac1f4 100644 --- a/detections/endpoint/windows_adfind_exe.yml +++ b/detections/endpoint/windows_adfind_exe.yml @@ -47,6 +47,7 @@ tags: - IcedID - NOBELIUM Group - Graceful Wipe Out Attack + - BlackSuit Ransomware asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/windows_driver_load_non_standard_path.yml b/detections/endpoint/windows_driver_load_non_standard_path.yml index 9dd0aacff0..c6585c949d 100644 --- a/detections/endpoint/windows_driver_load_non_standard_path.yml +++ b/detections/endpoint/windows_driver_load_non_standard_path.yml @@ -35,6 +35,7 @@ tags: - CISA AA22-320A - AgentTesla - BlackByte Ransomware + - BlackSuit Ransomware asset_type: Endpoint confidence: 60 impact: 60 diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml index 8320268295..a398762d0a 100644 --- a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml +++ b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml @@ -56,6 +56,7 @@ references: tags: analytic_story: - Windows Privilege Escalation + - BlackSuit Ransomware asset_type: Endpoint confidence: 40 impact: 100 diff --git a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml index a879e325d8..7b8699af27 100644 --- a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml +++ b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml @@ -35,6 +35,7 @@ references: tags: analytic_story: - Windows Privilege Escalation + - BlackSuit Ransomware asset_type: Endpoint confidence: 80 impact: 100 diff --git a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml index 801c75f46e..fb32f8c1c2 100644 --- a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml +++ b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml @@ -50,6 +50,7 @@ references: tags: analytic_story: - Windows Privilege Escalation + - BlackSuit Ransomware asset_type: Endpoint confidence: 80 impact: 100 diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml index 7df5ea8be0..60b313f4bd 100644 --- a/detections/endpoint/windows_remote_create_service.yml +++ b/detections/endpoint/windows_remote_create_service.yml @@ -40,6 +40,7 @@ tags: analytic_story: - Active Directory Lateral Movement - CISA AA23-347A + - BlackSuit Ransomware asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/windows_remote_services_rdp_enable.yml b/detections/endpoint/windows_remote_services_rdp_enable.yml index 4d62b4d31a..190d6aa77c 100644 --- a/detections/endpoint/windows_remote_services_rdp_enable.yml +++ b/detections/endpoint/windows_remote_services_rdp_enable.yml @@ -33,6 +33,7 @@ references: tags: analytic_story: - Azorult + - BlackSuit Ransomware asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index a30da724a5..2b1beb2283 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -44,6 +44,7 @@ tags: - Data Destruction - Amadey - Scheduled Tasks + - BlackSuit Ransomware asset_type: Endpoint confidence: 100 impact: 80 diff --git a/stories/blacksuit_ransomware.yml b/stories/blacksuit_ransomware.yml new file mode 100644 index 0000000000..836f605316 --- /dev/null +++ b/stories/blacksuit_ransomware.yml @@ -0,0 +1,25 @@ +name: BlackSuit Ransomware +id: 4c7bef12-679f-433c-92dd-d9feccc1432b +version: 1 +date: '2024-08-26' +author: Michael Haag, Splunk +description: This analytic story covers the tactics, techniques, and procedures (TTPs) associated with BlackSuit ransomware, as observed in a December 2023 intrusion. The story encompasses the full attack lifecycle, from initial access via Cobalt Strike beacons to lateral movement, credential access, and ultimately the deployment of BlackSuit ransomware. It aims to help security teams detect and respond to similar attacks by focusing on key behaviors such as Cobalt Strike activity, use of tools like ADFind and Sharphound, and the final ransomware deployment phase. +narrative: In December 2023, a sophisticated intrusion culminating in the deployment of BlackSuit ransomware was observed. The attack began with the execution of a Cobalt Strike beacon, which initially communicated through CloudFlare to conceal the true C2 server. The threat actors leveraged various tools throughout the intrusion, including Sharphound, Rubeus, SystemBC, and ADFind, alongside built-in Windows utilities. + + The attackers conducted extensive reconnaissance and lateral movement, using techniques such as AS-REP Roasting, Kerberoasting, and accessing LSASS memory for credential theft. They deployed multiple Cobalt Strike beacons across the environment and utilized RDP for further lateral movement. SystemBC was employed on a file server, providing additional command and control capabilities and proxy functionality. + + After a period of intermittent activity spanning 15 days, the threat actors executed their final objective. They used ADFind for additional discovery, ran the Get-DataInfo.ps1 PowerShell script to gather system information, and ultimately deployed the BlackSuit ransomware. The ransomware binary (qwe.exe) was distributed via SMB to remote systems through admin shares, and executed manually via RDP sessions. Upon execution, the ransomware deleted shadow copies before encrypting files across the compromised systems. + + This analytic story provides detections for various stages of this attack, including Cobalt Strike beacon activity, use of reconnaissance tools, suspicious PowerShell executions, and indicators of ransomware deployment. By monitoring for these behaviors, security teams can potentially detect and mitigate BlackSuit ransomware attacks before they reach their final, destructive stage. + +references: + - https://thedfirreport.com/2024/08/26/blacksuit-ransomware/ +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection + cve: [] \ No newline at end of file