[New Rules] Ransomware Encryption & Note Creation (#2652)
* [New Rules] Ransomware Encryption & Note Creation * changed description * Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/impact_potential_linux_ransomware_note_detected.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
@@ -0,0 +1,46 @@
|
||||
[metadata]
|
||||
creation_date = "2023/03/20"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/03/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Ransomware is a type of malware that encrypts a victim's files or systems and demands payment
|
||||
(usually in cryptocurrency) in exchange for the decryption key. One important indicator of a
|
||||
ransomware attack is the mass encryption of the file system, after which a new file extension
|
||||
is added to the file. This rule identifies a sequence of 50 file extension rename events
|
||||
by the same process in a timespan of 1 second.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious File Changes Activity Detected"
|
||||
risk_score = 73
|
||||
rule_id = "28738f9f-7427-4d23-bc69-756708b5f624"
|
||||
severity = "high"
|
||||
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact"]
|
||||
type = "eql"
|
||||
query = '''
|
||||
sequence by host.id, process.entity_id, file.extension with maxspan=1s
|
||||
[ file where host.os.type == "linux" and event.type == "change" and
|
||||
event.action == "rename" and file.extension != "" ] with runs=50 | tail 1
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1486"
|
||||
name = "Data Encrypted for Impact"
|
||||
reference = "https://attack.mitre.org/techniques/T1486/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0040"
|
||||
name = "Impact"
|
||||
reference = "https://attack.mitre.org/tactics/TA0040/"
|
||||
@@ -0,0 +1,60 @@
|
||||
[metadata]
|
||||
creation_date = "2023/03/20"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/03/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Ransomware is a type of malware that encrypts a victim's files or systems and demands payment
|
||||
(usually in cryptocurrency) in exchange for the decryption key. One important indicator of a
|
||||
ransomware attack is the mass encryption of the file system, after which a new file extension
|
||||
is added to the file. Generally, a ransomware note with contact details is dropped onto the
|
||||
file system which can be used by the victim to contact the attacker. This rule identifies a
|
||||
sequence of a mass file encryption event in conjunction with the creation of a .txt file with
|
||||
a file name containing ransomware keywords executed by the same process in a 1 second timespan.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Linux Ransomware Note Creation Detected"
|
||||
risk_score = 73
|
||||
rule_id = "c8935a8b-634a-4449-98f7-bb24d3b2c0af"
|
||||
severity = "high"
|
||||
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact"]
|
||||
type = "eql"
|
||||
query = '''
|
||||
sequence by host.id, process.entity_id with maxspan=1s
|
||||
[ file where host.os.type == "linux" and event.type == "change" and
|
||||
event.action == "rename" and file.extension != "" ] with runs=50
|
||||
[ file where host.os.type == "linux" and event.action == "creation" and
|
||||
file.extension == "txt" and file.name : (
|
||||
"*crypt*",
|
||||
"*restore*",
|
||||
"*lock*",
|
||||
"*recovery*",
|
||||
"*data*",
|
||||
"*read*",
|
||||
"*instruction*",
|
||||
"*how_to*",
|
||||
"*ransom*"
|
||||
) ] | tail 1
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1486"
|
||||
name = "Data Encrypted for Impact"
|
||||
reference = "https://attack.mitre.org/techniques/T1486/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0040"
|
||||
name = "Impact"
|
||||
reference = "https://attack.mitre.org/tactics/TA0040/"
|
||||
Reference in New Issue
Block a user