You work for a Managed Security Provider (MSP). A user in your organization turns on their desktop one morning and is greeted by a message claiming that files on the system have been encrypted and payment must be made to get the files back. You find out that Kaseya VSA, remote monitoring management (RMM) software used by your organization and other MSPs, has been compromised by REvil ransomware and is being used to distribute ransomware to its on-premises customers. You hear that the infection is spreading even to other organizations that don't use Kaseya. As a security analyst, it is your goal to investigate the ransomware by attempting to reconstruct the events that led to the system being infected. You also want to understand the full scope of the security breach and prevent additional systems from becoming infected.
How to use Splunk software for this use case
You can use Splunk software to investigate programs or binaries that executed on the infected system, examine connections the infected machine had to other network devices, construct a timeline of events, and create traffic flow diagrams to help visualize what happened.
To deploy this use case, make sure that you have the Splunk ES Content Updates installed on your Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. If you do not have Splunk Enterprise Security, these detections will still give you an idea of what you can accomplish with SPL in the Splunk platform or with the free app, Splunk Security Essentials.
Some of the detections that can help you with this use case include:
- Allow network discovery In firewall
- Delete ShadowCopy with PowerShell
- Disable Windows behavior monitoring
- Modification of wallpaper
- Msmpeng application DLL side loading
- Powershell disable security monitoring
- Revil common exec parameter
- Revil registry entry
- Wbemprox COM object execution
If any results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
These additional resources might help you understand and implement this guidance:
- Use case procedure: DLL loaded in a specific process
- Blog: Kaseya, sera. What REvil shall encrypt, shall encrypt
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.