Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New] Ransomware over SMB #3638

Merged
merged 14 commits into from
May 7, 2024
Merged

[New] Ransomware over SMB #3638

merged 14 commits into from
May 7, 2024

Conversation

Samirbous
Copy link
Contributor

@Samirbous Samirbous commented May 2, 2024
edited
Loading

Identifies file rename or file names like ransom note dropped via SMB.

https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/

image

image

image

image

Threshold based rule (detecs readme files dropped by ransomware) :

image

@Samirbous Samirbous added Rule: New Proposal for new rule OS: Windows windows related rules labels May 2, 2024
@Samirbous Samirbous self-assigned this May 2, 2024
@CyberTaoFlow
Copy link

no chance for a mitigation in defend on this?

@Samirbous
Copy link
Contributor Author

Samirbous commented May 3, 2024
edited
Loading

no chance for a mitigation in defend on this?

@CyberTaoFlow we are adding similar rules on the endpoint (Elastic Defend), we can't kill pid 4 (kernel is not a real process) but as a mitigation one can use the resulting alert to isolate the host via automation.

terrancedejesus
terrancedejesus approved these changes May 3, 2024
View reviewed changes
Copy link
Contributor

@terrancedejesus terrancedejesus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice! Thanks for taking the time to add some additional investigation guides. I think that context will be important for these rules and the analyst. I'd be curious if we have any better packet inspection on the SMB forefront with NPC integration? Left a suggestion about setup.

@Samirbous Samirbous merged commit 4a2e276 into main May 7, 2024
14 checks passed
@Samirbous Samirbous deleted the ransom-over-smb branch May 7, 2024 05:38
protectionsmachine pushed a commit that referenced this pull request May 7, 2024
@Samirbous @github-actions
[New] Ransomware over SMB (#3638)
8be992d 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml

(cherry picked from commit 4a2e276)
protectionsmachine pushed a commit that referenced this pull request May 7, 2024
@Samirbous @github-actions
[New] Ransomware over SMB (#3638)
7908237 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml

(cherry picked from commit 4a2e276)
protectionsmachine pushed a commit that referenced this pull request May 7, 2024
@Samirbous @github-actions
[New] Ransomware over SMB (#3638)
238cf4e 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml

(cherry picked from commit 4a2e276)
protectionsmachine pushed a commit that referenced this pull request May 7, 2024
@Samirbous @github-actions
[New] Ransomware over SMB (#3638)
65fe11b 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml

(cherry picked from commit 4a2e276)
protectionsmachine pushed a commit that referenced this pull request May 7, 2024
@Samirbous @github-actions
[New] Ransomware over SMB (#3638)
60650fa 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml

(cherry picked from commit 4a2e276)
protectionsmachine pushed a commit that referenced this pull request May 7, 2024
@Samirbous @github-actions
[New] Ransomware over SMB (#3638)
1201a08 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml

(cherry picked from commit 4a2e276)
protectionsmachine pushed a commit that referenced this pull request May 7, 2024
@Samirbous @github-actions
[New] Ransomware over SMB (#3638)
d1a44d5 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml

(cherry picked from commit 4a2e276)
protectionsmachine pushed a commit that referenced this pull request May 7, 2024
@Samirbous @github-actions
[New] Ransomware over SMB (#3638)
48e7ba0 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml

(cherry picked from commit 4a2e276)
protectionsmachine pushed a commit that referenced this pull request May 7, 2024
@Samirbous @github-actions
[New] Ransomware over SMB (#3638)
4bbb8c2 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml

(cherry picked from commit 4a2e276)
protectionsmachine pushed a commit that referenced this pull request May 7, 2024
@Samirbous @github-actions
[New] Ransomware over SMB (#3638)
ad7062a 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml

(cherry picked from commit 4a2e276)
protectionsmachine pushed a commit that referenced this pull request May 7, 2024
@Samirbous @github-actions
[New] Ransomware over SMB (#3638)
92bc71f 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml

(cherry picked from commit 4a2e276)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@Aegrah Aegrah Aegrah approved these changes

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@brokensound77 brokensound77 Awaiting requested review from brokensound77

Assignees

@Samirbous Samirbous

Labels
backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Samirbous @CyberTaoFlow @brokensound77 @Aegrah @terrancedejesus