This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Detecting and Responding to Kaseya Ransomware with the NetWitness Platform

Detecting and Responding to Kaseya Ransomware with the NetWitness Platform

netwitness_idd
Occasional Contributor netwitness_idd Occasional Contributor
Occasional Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content
‎2021-07-16 12:44 PM

  • Attack logic
  • Ransomware behavior
  • The Zero-Day Vulnerabilities
  • Crypter: REvil Ransomware
  • REvil Attacker Details
  • Detection
  • Detection via NetWitness
  • Conclusion

On July 2nd a supply chain attack was initiated using the software of a US company called Kaseya reminiscent in scale of the SolarWinds incident discovered in late 2020. Unlike with SolarWinds, the intention of this supply-chain attack has been destructive by deploying ransomware at a massive scale. Kaseya provides IT solutions to help other businesses manage computers within their networks making it an optimal target to launch this type of attack.

Three days after the deployment of ransomware, on July 5th, Kaseya reported that fewer than 1,500 businesses were affected by the attack. Many of those companies were small and midsize businesses with little direct exposure to consumers.

However, based on third-party reports, it appears that a much wider attack unfolded with a significant impact on the US and European retail market. For example, it has been reported that a Swedish supermarket chain was forced to close some outlets for several days after the attack due to the effects caused by the ransomware.

To make matters worse, on July 7th, Malwarebytes reported a malware spam campaign capitalizing on the awareness and distress caused by this ransomware attacks by spreading bogus links purporting to be a Microsoft security update when in fact it was a dropper for a Cobalt Strike payload.

While this second attack was opportunistic and based on traditional social-engineering techniques, the original one was sophisticated, using zero-day vulnerabilities that targeted the Kaseya virtual systems/server administrator (VSA) software.

Kaseya VSA is used by companies of various sizes and technology-service providers and it is adopted for remote management, software patching, and monitoring of systems on computer networks. This type of software, by its nature, requires broad access and elevated trust on the systems it monitors, making it especially attractive to attackers – made worse by the ability to compromise so many customers at one time. The attacker was able to exploit vulnerabilities in the VSA software and leverage it to disseminate ransomware across the Kaseya customer base.

Based on a public announcement, the infamous REvil gang claimed to be the orchestrator of this attack. Subsequent analyses from the security community corroborated the threat actor's attribution.

Figure 1: REvil blog announcing the successful Kaseya attack

During REvil’s public announcement, the attacker requested $70 million for the decryption key to unlock the computers affected in this widespread ransomware attack.

Attack logic

The attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface which allowed REvil to upload its malicious tools to any exposed Kaseya server.

netwitness_idd_0-1626453165506.png

Figure 1: Initial exploitation via VSA Web Interface exploit

An additional vulnerability, possibly based on a SQL injection vulnerability, was then utilized against the page /userFilterTableRpt.asp of the Kaseya web interface. This allows the execution of the malicious DLL payload (KUpload.dll) uploaded when the server is successfully exploited.

The DLL offers upload functionality and logs to a file KUpload.log which can be used, if recovered during the investigation, as a starting point for any analyst looking into a suspected breached Kaseya server, to understand when and how the attack was executed.

The log is used by the attacker for troubleshooting purposes.

netwitness_idd_1-1626453202346.png

Figure 2: SQL Injection and subsequent activation of the second stage of the attack

The UI authentication vulnerability, along with other potential flaws in Kaseya VSA, were originally discovered, in March, by Dutch researchers and reported to Kaseya with a responsible disclosure: https://csirt.divd.nl/cases/DIVD-2021-00011/

Despite this, REvil was able to trace the same vulnerability from a different source and used it to target Kaseya and its customers.

Once the attacker was able to interact with the Kaseya Server, he dropped a crypter, based on REvil ransomware (named agent.crt), and was ready to infect internal systems via the VSA server update feature.

Notably, in the recorded cases investigated by the Netwitness IR team, and also confirmed by other researchers, there was no evidence of data exfiltration before the dissemination of the ransomware. This is a notable aspect that differentiates this attack from other attacks connected with REvil threat actor.

netwitness_idd_2-1626453244004.png

Figure 3: Malicious tools upload

With the successful upload of the crypter to the VSA Server, the attacker proceeded to disseminate it to the victim’s network.

As such, the attacker sent the update command to all the connected Kaseya Monitoring Agents (the agent is a monitoring service/application) which in turn caused the download of the agent.crt from the initial drop folder and the Batch script to execute the additional actions needed to activate the ransomware.

The script, once executed, moves the Ransomware from the download folder:

<kayseya web root>\VSATicketFiles\agent.crt 

to the agent working directory:

#agentWrkDir#\agent.crt

The script finalizes the attack by computing the date with the activation date (July 2) via SQL query against the Server database. This value is later used in conjunction with the ping sleep timer described later on.

netwitness_idd_3-1626453286066.png

Figure 4: Malicious Crypter/Ransomware dissemination leveraging on on-premises VSA server

These vulnerabilities and their exploitation have allowed the attacker to organize the dissemination of ransomware at a massive and indiscriminate scale. Each compromised VSA server inside an affected network attempts to push ransomware on VSA agents running on managed Windows devices.

Ransomware behavior

The execution of the ransomware on the victim system is initiated by the VSA Monitoring service (AgentMon.exe) and controlled by several commands carried out by a malicious batch script connected with the setup of agent.crt.

The entire execution is protected by Kaseya AgentMon.exe process which is trusted by traditional security applications such as the antivirus.

netwitness_idd_4-1626453325874.png

Figure 5: Task Manager showing Kaseya VSA Monitoring agent

This gave REvil a huge advantage over the cybersecurity measures enforced in the network as the exploitation of the VSA server allowed the initial compromise through a trusted channel and leveraged trust in the VSA agent code. This is reflected in anti-malware software exclusions that Kaseya requires during the setup for its application and agent “working” folders.

Anything executed by the Kaseya Agent Monitor is ignored by antivirus because of those exclusions—which allowed REvil to deploy its dropper without scrutiny.

The VSA Server sends “agent.crt” package to the internal Windows systems together with a Batch script which, and once executed, moves the .crt file to the agent working directory, decrypt it and rename it as “Agent.exe”. 

"Agent.exe" contains two binaries embedded in its body (particularly in the resources section):

  • MsMpEng.exe 
  • mpsvc.dll 

On execution, Agent.exe writes (with system privilege) both files into C:\Windows, then executes MsMpEng.exe that eventually loaded the malicious "mpsvc.dll" file exploiting the typical DLL Side-loading.

The Zero-Day Vulnerabilities

The attacker exploited a small subset of zero-day vulnerabilities to upload files and execute subsequent commands from vulnerable Kaseya VSA servers.

Authentication bypass vulnerability in the Kaseya VSA web interface

While the details about the exploitation are still lacking several core elements, the way the attacker carried out the initial attack sequence confirmed the authentication bypass was most likely the initial exploit used to land upon the VSA Server.

SQL injection attack

The SQL Injection attack was enabled by the initial drop of the following file

userFilterTableRpt.asp

 

As initially clarified by a Huntress report, the file contains a significant amount of potential SQL injection vulnerabilities, which would offer an attack vector for code execution, an essential complement to the authentication bypass vulnerability that allowed the attacker to access the VSA server in the first place.

In addition, the SQL injection phase allowed the REvil threat actors to execute the following actions on the VSA agents:

netwitness_idd_5-1626453384844.png

Figure 6: Second stage of the attack (triggered by the SQL Injection)

Process tracking data from a targeted system would show these actions carried out by the attacker:

C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe

echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode

c:\kworking\agent.crt c:\kworking\agent.exe

del /q /f c:\kworking\agent.crt C:\Windows\cert.exe

c:\kworking\agent.exe

 

Once the agent file runs, REvil uses DLL sideloading to inject the REvil ransomware DLL into Windows Defender activating the encryption on the machine and removing Kaseya logs to reduce the risk of being detected.

Contrary to previous REvil attacks, no further commands, have been reported by the security community.

In this case, none of the reported commands, nor anything inherent to the ransomware executable allows data to be stolen from the network.

As such, this appears to be a fully automated attack that allowed the malicious actors to operate at a remarkable scale, albeit forcing REvil to modify their usual strategy, limiting the impact and the potential chance of negotiation against single victims.

Some of the most effective techniques adopted in the past by REvil and other Malware-as-a-Service (MaaS) actors have been based on the previous exfiltration of data and the promise to leak it via the Internet if the victim did not pay the requested sum.

Crypter: REvil Ransomware

REvil ransomware is not new. It has been advertised on underground forums since 2019 and it is one of the most prolific Ransomware-as-a-Service (RaaS) and MaaS providers.

From a cybersecurity perspective, the crew and its affiliates registered a record year in 2020 when they harvested more than $100M USD.

As a malware family, REvil/Sodinokibi is typical ransomware with some peculiarities.

It encrypts all files on local drives except those listed in their configuration file, but more importantly, during the initial activation of the malware, there is a check on the system keyboard: via User32.dll's “GetKeyboardLayoutList” function. This check inspects the keyboard identifier and will terminate execution if the result ends in a value between \x18 through \x44 inclusive, which are values linked to East European keyboard layouts.

The actual version, used in this attack is version 2 and it is deployed in conjunction with the already discussed batch command, which in turn, is executed through the Kaseya agent.

The ransomware in general does not have any functionality to evade security products. The batch command was already responsible for disabling the security products and uses the certutil.exe utility to unpack the final payload, as a DLL together (mpsvc.dll) with a vulnerable Microsoft binary: an older version of Microsoft Defender (MsMpEng.exe).

The DLL is then loaded by calling this older Microsoft Defender executable using the DLL side-loading technique (T1574.002).

REvil Attacker Details

The actor is also known as "GOLD SOUTHFIELD” (G0115) on the MITRE ATT&CK Framework.

REvil is a cybercriminal threat group that authors and operates the REvil ransomware (also known as “Sodinokibi”) on behalf of various affiliated threat groups. RSA has reported it as a MaaS operator since April 2019.

Based on Threat Intel reports, the group inherited the infamous GandCrab Ransomware source code from the original threat group known as GOLD GARDEN.

The crew is responsible for authoring REvil and operating the backend infrastructure used by affiliates (also called partners) to create malware builds and to collect ransom payments from victims.

REvil partners are recruited through Russian-speaking underground forums where a limited and exclusive partnership is offered to potential affiliates that demonstrate effective capabilities to penetrate high-value Western organizations.

REvil affiliates distribute ransomware through a variety of means including exploit kits, scan-and-exploit attacks, publicly accessible RDP and remote management and monitoring (RMM) servers, and backdoored software installers.

Since December 2019, similar to other crew like Maze, Ryuk, and Nefilim, REvil launched a website accessible via TOR that publishes stolen data from intrusions to generate additional leverage against victims.

Between the typical and common attacking techniques, the following ones are characteristic of REvil attacks (Courtesy of MITRE ATT&ck Framework.):

:

Techniques

Technique Type

Comment

 "T1059"

Main

 

 "T1059.001"

SubTechnique

GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts. (Citation: Tetra Defense Sodinokibi March 2020)"}

 "T1190"

Main

GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise. (Citation: Secureworks REvil September 2019)"}

 "T1133"

Main

GOLD SOUTHFIELD has used publicly accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.(Citation: Secureworks REvil September 2019)\t"}

 "T1027"

Main

GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts. (Citation: Tetra Defense Sodinokibi March 2020)"}

 "T1566"

Main

GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines. (Citation: Secureworks REvil September 2019)"}

 "T1219"

Main

GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool \"ConnectWise Control\" to deploy [REvil](https://attack.mitre.org/software/S0496).(Citation: Tetra Defense Sodinokibi March 2020)"}

 "T1113"

Main

GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines. (Citation: Tetra Defense Sodinokibi March 2020)"}

 "T1195"

Main

 

 "T1195.002"

SubTechnique

GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR. (Citation: Secureworks REvil September 2019) (Citation: Secureworks GandCrab and REvil September 2019) (Citation: Secureworks GOLD SOUTHFIELD)"}

 "T1199"

Main

GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers. (Citation: Secureworks REvil September 2019)"}]

Table 1: REvil/Sodinokibi ATT&ck profile

Detection

To detect this ransomware attack and develop actionable indicators, NWIR re-created the attack in a lab using events from cases investigated. This process aimed to extract significant content to complement the initial IOCs.

The following Lab setup has been created to achieve this goal:

netwitness_idd_6-1626453464154.png

Figure 7: Lab overview

The NetWitness packet solution was running software version 11.6.

NetWitness Endpoint was running software version 11.6

The Desktop was running Windows 10.1909 and both the domain controller and the Kaseya server were running Windows 2016 Server Standard.

Lab tests

Our team focused on the actions carried out after exploiting the VSA vulnerability to drop and execute the ransomware file called ‘agent.crt’ that is activated via malicious batch commands.

The command was captured in NetWitness Endpoint in the form of several Process and Console events. The specific console event with the entire one-line command is shown in the figure below:

netwitness_idd_7-1626453500584.png

Figure 8: Malicious Batch Command

First, the executed command effectively achieves a sleep timer by running the Ping utility targeting localhost with a high number of echo requests.

Subsequent commands would not be executed until the high number of pings were completed. In the experiment, this number was reduced to expedite analysis. However, in instances in the wild, the number of pings was in the thousands which could take over an hour to complete.

netwitness_idd_8-1626453528156.png

Figure 9: Ping with number of echo requests

The second command ran PowerShell to disable Windows Defender. This specific process event was flagged by NetWitness for disabling security tools. 

netwitness_idd_9-1626453552160.png

Figure 10: Disabling Windows Defender

Next, the command used several masquerading techniques before executing the CertUtil.exe Windows utility to evade potential monitoring of this program. CertUtil.exe was copied and renamed to cert.exe and then a few random bytes were appended to the end of the file so that any monitoring based on a cryptographic hash would be unsuccessful.

netwitness_idd_10-1626453578608.png

Figure 11: Creation and Execution of Masqueraded CertUtil

Once copied and modified, CertUtil was leveraged to create an executable called “agent.exe” by decoding the content of the agent.crt file. Finally, after deleting cert.exe and agent.crt, the command executes agent.exe.

netwitness_idd_11-1626453603469.png

Figure 12: Creation of Agent.exe

‘Agent.exe’ drops a vulnerable version of Windows Defender and the REvil DLL. The malicious DLL is loaded and executed through a DLL Sideloading vulnerability in MsMng.exe after being executed by agent.exe. Once this process is executed, the REvil ransomware began encrypting targeted files.

netwitness_idd_12-1626453622839.png

Figure 13: Agent.exe dropped files and MsMpEng.exe execution

Detection via NetWitness

The NetWitness Platform is able to detect the occurrence of a Kaseya breach by querying the system against specific IOCs in three different areas:

  • Endpoint
  • Packet
  • Logs

In fact, the following queries can be utilized within NetWitness to identify known atomic indicators associated with the REvil attack.

A comprehensive list of hashes provided on GitHub by Cado Security can be queried against the ‘checksum.all’:

checksum.all =

'45aebd60e3c4ed8d3285907f5bf6c71b3b60a9bcb7c34e246c20410cf678fc0c','36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752','7ea501911850a077cf0f9fe6a7518859','e1d689bf92ff338752b8ae5a2e8d75586ad2b67b','e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2','0299e3c2536543885860c7b61e1efc3f','682389250d914b95d6c23ab29dffee11cb65cae9','df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e','835f242dde220cc76ee5544119562268','8118474606a68c03581eef85a05a90275aa1ec24','dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f','849fb558745e4089a8232312594b21d2','1bcf1ae39b898aaa8b6b0207d7e307b234614ff6','d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20','561cffbaba71a6e8cc1cdceda990ead4','5162f14d75e96edb914d1756349d6e11583db0b0','d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e','4a91cb0705539e1d09108c60f991ffcf','7895e4d017c3ed5edb9bf92c156316b4990361eb','d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f','7d1807850275485397ce2bb218eff159','45c1b556f5a875b71f2286e1ed4c7bd32e705758','cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6','8535397007ecb56d666b666c3592c26d','0912b7cecfbe82d6903a8a0dc421c285480e5caa','aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7','5a97a50e45e64db41049fd88a75f2dd2','20e3a0955baca4dc7f1f36d3b865e632474add77','66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8','040818b1b3c9b1bf8245f5bcb4eebbbc','c0f569fc22cb5dd8e02e44f85168b4b72a6669c3','0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402','be6c46239e9c753de227bf1f3428e271','13d57aba8df4c95185c1a6d2f945d65795ee825b','81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471','a560890b8af60b9824c73be74ef24a46','c2bb3eef783c18d9825134dc8b6e9cc261d4cca7','8e846ed965bbc0270a6f58c5818e039ef2fb78def4d2bf82348ca786ea0cea4f','a47cf00aedf769d60d58bfe00c0b5421','656c4d285ea518d90c1b669b79af475db31e30b1','8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd','18786bfac1be0ddf23ff94c029ca4d63','3c2b0dcdb2a46fc1ec0a12a54309e35621caa925','1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e'

 

This query hit on many of the dropped files that were created and executed in the previous lab experiment.

Otherwise, the check can be carried out against a specific subset of the IOCs:

netwitness_idd_13-1626453667790.png

Figure 14: Example of 'checksum.all' query against a subset of hashes

The resulting match is highlighted below:

netwitness_idd_14-1626453690475.png

Figure 15: Hash Matches associated w/ REvil Attack

The search can be directed against Domains and IP Addresses, the latter is exemplified below:

netwitness_idd_15-1626453712044.png

Figure 16: Query for selected IP Address related to Kaseya breach

Additionally, a Zscaler blog published a list of more than 1,000 domains associated with the ransomware variants observed in this attack. These values can be queried against the ‘alias.host’ and ‘domain.all’ metakeys.

The network configuration was disabled in the REvil samples observed in the Kaseya attack, so the traffic produced in this experiment was initiated with a modified version of the ransomware.

The screenshot below contains DNS events that match the domains associated with REvil beaconing.

netwitness_idd_16-1626453736318.png

Figure 17: REvil C2 Match

The query in the table below will identify potential events within packets, endpoint, or logs that are associated with these REvil C2 domains.

At the endpoint level, we can leverage IOCs related to the Tampering of Microsoft Defender.

As reported, the attack relies on PowerShell to disable it, so we can query the endpoint platform for the following action:

netwitness_idd_17-1626453756867.png

Figure 18:  NWE query for PowerShell used to tamper Microsoft Defender

We can also search for specific local paths and files.

We reported the following filenames and paths during the analysis:

  • kworking\agent.crt – Encoded malicious content
  • kworking\agent.exe – Decoded contents of agent.crt
  • mpsvc.dll – REvil encryptor payload

In addition, a Registry key is created when the ransomware is dropped on a system:

HKLM:\SOFTWARE\Wow6432Node\BlackLivesMatter

 

It can be added to our search at the endpoint level to look for REvil activities against the system:

netwitness_idd_18-1626453788953.png

Figure 19: NWE query for local files, folders and Registry key

To complete the review of the potential mechanism to detect REvil activities linked with this campaign, we can leverage on Logs collected via Netwitness.

In particular, we can focus on the following event codes located within the Microsoft-Windows-Windows Defender/Operational event log:

  • 5001
  • 5004
  • 5007

netwitness_idd_19-1626453809219.png

Figure 20: Event ID 5007 – Windows Defender Disabled

We can search events in Windows Security Event Logs with code 4688 where the process command line presents references to the “\\kworking\\agent.exe*"

netwitness_idd_20-1626453836900.png

Figure 21: Event ID 4688 – Process Creation

Conclusion

The Kaseya ransomware attack is among the largest and most impactful cybersecurity events to date.  The use of ransomware as a service (RaaS) in a supply chain attack combines two particularly pernicious techniques.

However, while the combination of techniques is novel, the underlying tactics are typical of modern advanced persistent threats (APTs), which NetWitness Platform is designed to detect.  NetWitness recommends carrying out periodic Proactive Hunting for Lateral Movement and Ransomware Attacks as foundational hygiene using NetWitness to Detect Ransomware Attacks:

https://community.rsa.com/t5/rsa-netwitness-platform-blog/using-rsa-netwitness-to-detect-ransomware-attacks/ba-p/520201#toc-hId--695722310

 

Labels:
  • Resources
  • Tutorials
  • Use Cases
  • Kaseya
  • NetWitness Platform
  • ransomware
4 Likes

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • FirstWatch Threat Spotlight: HAVOC C2
  • FirstWatch Threat Spotlight – BlueSky Ransomware
  • Advanced HTTP and TLS Concepts (Video)
  • Using NetWitness to Detect Command and Control: SILENTTRINITY C2
  • FirstWatch Threat Spotlight – Remcos RAT
  • FirstWatch Threat Spotlight: The LockBit Conundrum - A Glimpse into Ransomware Warfare
  • Content Hygiene – Application Rule Alert Mapping Updates
  • Microsoft Azure Log Analytics workspace integration with Netwitness
  • FirstWatch Threat Spotlight: Cryptonite Ransomware
  • Deployment Inventory (Serial Numbers)
Labels
  • Announcements 64
  • Events 8
  • Features 11
  • Integrations 12
  • Resources 67
  • Tutorials 32
  • Use Cases 29
  • Videos 118
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.