This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Behavioral Indicators Helpful to Detect Ransomware Activity

Sarthak
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2021-10-11 12:12 PM

A couple of weeks back, I was delivering a presentation. During this session I mentioned that if you are working in the technology industry these days and haven't heard about a ransomware attack affecting a large organization, you have probably been living under a rock!

For those unfamiliar with the basics of ransomware, I would highly recommend reading the following blog post by Darren Mccutchen, from the NetWitness Threat Research Team. The blog post is a great starting point for everything one needs to know about Ransomware and how it functions.

Ransomware operations have increased significantly over the past few years. As we have seen with recently publicized large scale attacks, ransomware groups are adding a great deal of sophistication to their tactics.
These incidents can severely impact business processes and leave organizations without the data they need to operate and deliver their mission-critical services.
There is no indication of bad actors stopping anytime soon and new variants of the malware are created and deployed almost every day.

Per our research, we identified that impairing defenses to achieve evasion, tampering with system recovery mechanisms, disabling security tooling are couple of common techniques that are employed by threat actors during the various stages of typical ransomware operations.

Understanding the importance of detecting these exploitation methods used by threat actors, we have come up with endpoint-based application rules that aid in identifying not just malicious ransomware activity, but other adversaries as well that might employ similar techniques.

Application Rules:

  • deletes shadow volume copies*
    Update to the existing rule to cover additional avenues which can be detected through the parameter attribute. Ransomware operators often attempt to delete shadow copies so that victims are not able to restore file access by reverting to the shadow copies.
    Generated Meta Keys: boc = deletes shadow volume copies

  • deletes backup catalog*
    Update to the existing rule to cover additional avenues which can be detected through the parameter attribute. Deleting backup catalog can be an indication of someone trying to remove files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
    Generated Meta Keys: boc = deletes backup catalog

  • disables windows defender using powershell*
    Update to the existing rule to cover additional avenues which can be detected through the parameter attribute. Such a behavior can be indicative of someone trying to compromise the integrity of the security solution, causing events to go unreported.
    Generated Meta Keys: boc = disables windows defender using powershell

  • deletes shadow volume copies using powershell
    Ransomware operators often attempt to delete shadow copies so that victims are not able to restore file access by reverting to the shadow copies.
    Generated Meta Keys: boc = deletes shadow volume copies using powershell

  • tampers with windows defender registry
    The rule triggers when the windows defender registry is tampered with to disable the antispyware service. Such a behavior can be indicative of someone trying to compromise the integrity of the security solution, causing events to go unreported.
    Generated Meta Keys: boc = tampers with windows defender registry

  • removes windows defender definitions
    The rule triggers when the definition files are removed from windows defender. This technique essentially would make the security solution unable to pick up on the latest threats as it lacks the latest signatures.
    Generated Meta Keys: boc = removes windows defender definitions

  • evades scanning within windows defender
    The rule detects evasive technique to modify windows defender to exclude scanning from stated paths, for stated processes & extensions. Using the technique bad actors can make defender not take any actions against malicious files that are used during malware operations.
    Generated Meta Keys: boc = evades scanning within windows defender

  • disables windows audit policy
    The rule detects windows audit policy being disabled to prevent host-based information being written into the event logs. Attackers can exploit the technique to prevent the collection of additional audit logs and evidence trail which makes forensic analysis and incident response difficult due to lack of sufficient data to determine incident occurred.
    Generated Meta Keys: boc = disables windows audit policy

  • clears application event log
    New rule added to complement the existing rules (clears security event log, clears system event log) for better detection coverage. Indicator removal on host makes forensic analysis and incident response difficult due to lack of sufficient data to determine incident occurred.
    Generated Meta Keys: boc = clears application event log

  • clears setup event log
    New rule added to complement the existing rules (clears security event log, clears system event log) for better detection coverage.
    Generated Meta Keys: boc = clears setup event log

  • clears event logs using powershell
    New rule added to complement the existing rules and cover the additional avenues of tampering with event logs.
    Generated Meta Keys: boc = clears event logs using powershell

  • disables event logging service
    The rule detects when the logging service is blocked in windows. This would result in the service not being enabled during system boot and thus event logs would not be captured.
    Generated Meta Keys: boc = disables event logging service

  • enables safe mode
    The rule detects when safe mode or safe boot is enabled in windows through the command line. Causing windows to reboot in safe mode would allow malware operators to make changes that may otherwise not be possible in normal running mode.
    Generated Meta Keys: boc = enables safe mode

  • disables safe mode
    Disabling safe mode can be indicative of an adversary trying to cover its tracks after it has evaded detection or compromised the security software, as most of them do not function in safe mode environment.
    Generated Meta Keys: boc = disables safe mode

*These rules exist on NW Live already, and have been updated now. Please make sure that latest version of the content is deployed.

*Please note that the application rules listed above may generate false positives. As each environment is unique, the filtering/whitelisting should be done on an individual basis.

Investigate - Endpoint App RulesInvestigate - Endpoint App Rules 

Dependencies:

  • NetWitness Platform 11.x and higher
  • NetWitness Endpoint Server

Conclusion:

Now is the time for targeted threat detection against ransomware activity. Resources mentioned in this blog post will be helpful to effectively monitor, detect & further respond using the NetWitness Platform.

References:

 

© 2022 RSA Security LLC or its affiliates. All rights reserved.