forked from sar2901/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathransomware.yml
30 lines (30 loc) · 1.52 KB
/
ransomware.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
name: Ransomware
id: cf309d0d-d4aa-4fbb-963d-1e79febd3756
version: 1
date: '2020-02-04'
author: David Dorsey, Splunk
description: Leverage searches that allow you to detect and investigate unusual activities
that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage,
the presence of common ransomware extensions, and system processes run from unexpected
locations, and many others.
narrative: Ransomware is an ever-present risk to the enterprise, wherein an infected
host encrypts business-critical data, holding it hostage until the victim pays the
attacker a ransom. There are many types and varieties of ransomware that can affect
an enterprise. Attackers can deploy ransomware to enterprises through spearphishing
campaigns and driveby downloads, as well as through traditional remote service-based
exploitation. In the case of the WannaCry campaign, there was self-propagating wormable
functionality that was used to maximize infection. Fortunately, organizations can
apply several techniques--such as those in this Analytic Story--to detect and or
mitigate the effects of ransomware.
references:
- https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/
- https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html
tags:
analytic_story: Ransomware
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection