Skip to content

Commit 66a0b6b

Browse files
SamirbousMikaayenson
Samirbous
and
Mikaayenson
authored
[Tuning] Potential Ransomware Behavior - High count of Readme files by System (#5167)
* Update impact_high_freq_file_renames_by_kernel.toml * Update impact_high_freq_file_renames_by_kernel.toml * Update impact_high_freq_file_renames_by_kernel.toml * Update impact_high_freq_file_renames_by_kernel.toml * Update impact_high_freq_file_renames_by_kernel.toml --------- Co-authored-by: Mika Ayenson, PhD <[email protected]>
1 parent 5d69eb1 commit 66a0b6b

File tree

1 file changed

+25
-30
lines changed

1 file changed

+25
-30
lines changed

rules/windows/impact_high_freq_file_renames_by_kernel.toml

Lines changed: 25 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -1,32 +1,24 @@
11
[metadata]
22
creation_date = "2024/05/03"
3-
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
3+
integration = ["endpoint"]
44
maturity = "production"
5-
updated_date = "2025/09/11"
5+
updated_date = "2025/09/30"
66

77
[rule]
88
author = ["Elastic"]
99
description = """
10-
This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with
11-
same file name containing keywords similar to ransomware note files and all within a short time period.
10+
This rule identifies the creation of multiple files with same name and over SMB by the same user. This behavior may indicate the
11+
successful remote execution of a ransomware dropping file notes to different folders.
1212
"""
1313
from = "now-9m"
14-
index = [
15-
"logs-endpoint.events.file-*",
16-
"winlogbeat-*",
17-
"logs-windows.sysmon_operational-*",
18-
"endgame-*",
19-
"logs-m365_defender.event-*",
20-
"logs-sentinel_one_cloud_funnel.*",
21-
]
22-
language = "kuery"
14+
language = "esql"
2315
license = "Elastic License v2"
24-
name = "Potential Ransomware Behavior - High count of Readme files by System"
16+
name = "Potential Ransomware Behavior - Note Files by System"
2517
note = """## Triage and analysis
2618
2719
#### Possible investigation steps
2820
29-
- Investigate the content of the readme files.
21+
- Investigate the content of the dropped files.
3022
- Investigate any file names with unusual extensions.
3123
- Investigate any incoming network connection to port 445 on this host.
3224
- Investigate any network logon events to this host.
@@ -59,27 +51,35 @@ note = """## Triage and analysis
5951
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
6052
"""
6153
references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/"]
62-
risk_score = 21
54+
risk_score = 47
6355
rule_id = "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a"
64-
severity = "low"
56+
severity = "medium"
6557
tags = [
6658
"Domain: Endpoint",
6759
"OS: Windows",
6860
"Use Case: Threat Detection",
6961
"Tactic: Impact",
7062
"Resources: Investigation Guide",
71-
"Data Source: Elastic Defend",
72-
"Data Source: Elastic Endgame",
73-
"Data Source: Microsoft Defender for Endpoint",
74-
"Data Source: Sysmon",
75-
"Data Source: SentinelOne",
63+
"Data Source: Elastic Defend"
7664
]
7765
timestamp_override = "event.ingested"
78-
type = "threshold"
66+
type = "esql"
7967

8068
query = '''
81-
event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and
82-
file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*)
69+
from logs-endpoint.events.file-* metadata _id, _version, _index
70+
71+
// filter for file creation event done remotely over SMB with common user readable file types used to place ransomware notes
72+
| where event.category == "file" and host.os.type == "windows" and event.action == "creation" and process.pid == 4 and user.id != "S-1-5-18" and
73+
file.extension in ("txt", "htm", "html", "hta", "pdf", "jpg", "bmp", "png", "pdf")
74+
75+
// truncate the timestamp to a 60-second window
76+
| eval Esql.time_window_date_trunc = date_trunc(60 seconds, @timestamp)
77+
78+
| keep file.path, file.name, process.entity_id, Esql.time_window_date_trunc
79+
80+
// filter for same file name dropped in at least 3 unique paths by the System virtual process
81+
| stats Esql.file_path_count_distinct = COUNT_DISTINCT(file.path), Esql.file_path_values = VALUES(file.path) by process.entity_id , file.name, Esql.time_window_date_trunc
82+
| where Esql.file_path_count_distinct >= 3
8383
'''
8484

8585

@@ -106,14 +106,9 @@ id = "T1021.002"
106106
name = "SMB/Windows Admin Shares"
107107
reference = "https://attack.mitre.org/techniques/T1021/002/"
108108

109-
110-
111109
[rule.threat.tactic]
112110
id = "TA0008"
113111
name = "Lateral Movement"
114112
reference = "https://attack.mitre.org/tactics/TA0008/"
115113

116-
[rule.threshold]
117-
field = ["host.id", "file.name"]
118-
value = 25
119114

0 commit comments

Comments
 (0)