Detecting DarkSide ransomware

Searches using the endpoint data model

► Attempted credential dump from registry 

To run this search, your deployment needs to ingest endpoint data that tracks process activity, including parent-child relationships from your endpoints.

This search is designed to monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers might try to crack offline.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=reg.exe OR "Processes.original_file_name"=reg.exe OR "Processes.process_name"=cmd.exe OR "Processes.original_file_name"=Cmd.Exe) "Processes.process"=*save* ("Processes.process"=*HKEY_LOCAL_MACHINE\\Security* OR "Processes.process"=*HKEY_LOCAL_MACHINE\\SAM* OR "Processes.process"=*HKEY_LOCAL_MACHINE\\System* OR "Processes.process"=*HKLM\\Security* OR "Processes.process"=*HKLM\\System* OR "Processes.process"=*HKLM\\SAM*)) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.original_file_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► BITSAdmin download file

This search identifies Microsoft Background Intelligent Transfer Service utility bitsadmin.exe using the transfer parameter to download a remote object.

In addition to running this search, you should also look for downloads or uploads on the command-line since the switches are not required to perform a transfer. Capture any files downloaded and review the reputation of the IP or domain used. Typically, after it is executed, a follow-on command is used to execute the dropped file. Network connection or file modification events related do not spawn or create from bitsadmin.exe, but the artifacts appear in a parallel process of svchost.exe with a command-line similar to svchost.exe -k netsvcs -s BITS.

It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs are created. You can use bitsadmin /list /verbose to list out the jobs during investigation.

Limited false positives should occur from this search; However, you might need to filter based on parent process name or network connection.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=bitsadmin.exe OR "Processes.original_file_name"=bitsadmin.exe) "Processes.process"=*transfer*) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► CertUtil download with URLCache and split arguments

Certutil.exe might download a file from a remote destination using -urlcache. This behavior requires a URL to be passed on the command-line. In addition, -f (force) and -split (split embedded ASN.1 elements, and save to files) are used. While certutil.exe can contact a public IP space, it is uncommon for certutil.exe to write files to world-writeable paths.

During triage, capture any files on disk and review them, and also review the reputation of the remote IP or domain in question. 

You should receive limited false positives from this search in most environments. You can tune as needed based on parent-child relationship or network connection.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=certutil.exe OR "Processes.original_file_name"=CertUtil.exe) (("Processes.process"=*urlcache* "Processes.process"=*split*) OR "Processes.process"=*urlcache*)) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.original_file_name", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► CertUtil download with VerifyCtl and split arguments

Certutil.exe might download a file from a remote destination using -VerifyCtl. This behavior requires a URL to be passed on the command-line. In addition, -f (force) and -split (split embedded ASN.1 elements, and save to files) will be used. While certutil.exe can contact a public IP space, it is uncommon for certutil.exe to write files to world-writeable paths.

During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using -VerifyCtl, the file is either written to the current working directory or %APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\<hash>.

You should receive limited false positives from this search in most environments. You can tune as needed based on parent-child relationship or network connection.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=certutil.exe OR "Processes.original_file_name"=CertUtil.exe) (("Processes.process"=*verifyctl* "Processes.process"=*split*) OR "Processes.process"=*verifyctl*)) BY "Processes.dest", "Processes.user", "Processes.original_file_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Detect PsExec with accepteula flag

To run this search, your deployment needs to ingest data that records process activity from your hosts.

This search looks for events where PsExec.exe is run with the accepteula flag in the command line.

PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems, and threat actors use this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they are prompted to accept the end-user license agreement (EULA), which can be passed as the argument accepteula within the command line.

False positives from this search might occur because administrators can use PsExec for accessing remote systems and might pass accepteula as an argument if they are running this tool for the first time. However, it is not likely that you will see multiple occurrences of this event on a machine.

| tstats summariesonly=false allow_old_summaries=true values("Processes.process") AS process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=psexec.exe OR "Processes.process_name"=psexec64.exe OR "Processes.original_file_name"=psexec.c) "Processes.process"=*accepteula*) BY "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Detect RClone command line usage

This search identifies commonly used command-line arguments used by rclone.exe to initiate a file transfer.

At this stage of a ransomware event, exfiltration is about to occur or has already occurred. During triage, isolate the endpoint and continue investigating by reviewing file modifications and parallel processes.

False positives should be limited as this search is restricted to the Rclone process name. You can filter or tune the search as needed.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.original_file_name"=rclone.exe OR "Processes.process_name"=rclone.exe) ("Processes.process"="*copy*" OR "Processes.process"="*mega*" OR "Processes.process"="*pcloud*" OR "Processes.process"="*ftp*" OR "Processes.process"="*--config*" OR "Processes.process"="*--progress*" OR "Processes.process"="*--no-check-certificate*" OR "Processes.process"="*--ignore-existing*" OR "Processes.process"="*--auto-confirm*" OR "Processes.process"="*--transfers*" OR "Processes.process"="*--multi-thread-streams*")) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Detect renamed PSExec

This search identifies renamed instances of PsExec.exe being utilized on an endpoint.

During triage, validate this is the legitimate version of PsExec by reviewing the PE metadata. You should also review parallel processes for further suspicious behavior.

False positives from this search might occur since is possible some third party applications might use older versions of PsExec. You can filter or tune the search as needed.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=psexec.exe OR "Processes.process_name"=psexec64.exe OR "Processes.original_file_name"=psexec.c) BY "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.original_file_name" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Detect renamed RClone

This search identifies the usage of a renamed rclone.exe used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. During triage, isolate the endpoint and begin to review parallel processes for additional behavior.

At this stage of a ransomware event, the adversary might have staged data to be exfiltrated.

False positives from this search should be limited as the search identifies renamed instances of rclone.exe, which rarely occurs in legitimate scenarios. You should filter as needed if there is a legitimate business use case.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.original_file_name"=rclone.exe "Processes.process_name"!=rclone.exe) BY "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.original_file_name" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Extraction of registry hives

This search identifies the use of reg.exe exporting Windows Registry hives containing credentials. Adversaries might use this technique to export registry hives for offline credential access attacks, which are usually executed from a untrusted process or script. Upon execution, a file is written to disk.

False positives from this search might occur because it is possible that some agent-based products generate false positives. You can filter or tune the search as needed.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=reg.exe OR "Processes.original_file_name"=reg.exe) ("Processes.process"=*save* OR "Processes.process"=*export*) ("Processes.process"="*\sam *" OR "Processes.process"="*\system *" OR "Processes.process"="*\security *")) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► SLUI RunAs elevated

This search identifies the Microsoft Software Licensing User Interface Tool, slui.exe, elevating access using the -verb RunAs function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are HKCU\Software\Classes\exefile\shell and HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command. To simulate this behavior, multiple POCs are available.

Limited false positives should be present because this behavior is not commonly used by legitimate applications.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=slui.exe "Processes.process"=*-verb* "Processes.process"=*runas*) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► SLUI spawning a process

This search identifies the Microsoft Software Licensing User Interface Tool, slui.exe, spawning a child process. This behavior is associated with publicly known UAC bypass. Slui.exe is commonly associated with software updates and is most often spawned by svchost.exe. The slui.exe process should not have child processes, and any processes spawning from it run with elevated privileges.

During triage, review the child process and additional parallel processes. Identify any file modifications that might have lead to the bypass.

False positives from this search might occur since certain applications might spawn from slui.exe that are legitimate. Filter those out to ensure proper monitoring.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE "Processes.parent_process_name"=slui.exe BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Additional searches

 

► CMLUA or CMSTPLUA UAC bypass

This search detects a potential process using a COM object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process.

| search (EventCode=7 NOT Image="*\\program files*" NOT Image="*\\windows\\*" NOT process_name="CMMGR32.exe" NOT process_name="CMSTP.exe" (ImageLoaded="*\\CMLUA.dll" OR ImageLoaded="*\\CMLUAUTIL.dll" OR ImageLoaded="*\\CMSTPLUA.dll") (source=Syslog:Linux-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational)) 
| stats count min(_time) as firstTime max(_time) AS lastTime BY Image ImageLoaded process_name Computer EventCode Signed ProcessId 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Cobalt Strike named pipes

To successfully implement this search, your deployment needs to ingest logs with the process name and imageloaded executions from your endpoints. 

This search identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles.

Each EDR product presents named pipes differently. You can try taking the values and generating a search based on your product of choice.

Upon triage, review the process performing the named pipe. If it is explorer.exe, it is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process might have a network connection, review and follow the connection back to identify any file modifications.

Adversaries use named pipes with Cobalt Strike to blend in. Because of this, some of the named pipes identified and added might cause false positives. Filter by process name or pipe name to reduce false positives.

| search ((EventID=17 OR EventID=18) (source=Syslog:Linux-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) (PipeName=\\DserNamePipe* OR PipeName=\\MSSE-* OR PipeName=\\UIA_PIPE* OR PipeName=\\mojo.* OR PipeName=\\msagent_* OR PipeName=\\ntsvcs* OR PipeName=\\postex_* OR PipeName=\\spoolss_* OR PipeName=\\srvsvc_* OR PipeName=\\status_* OR PipeName=\\win_svc* OR PipeName=\\winsock* OR PipeName=\\wkssvc*)) 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY Computer, process_name, process_id process_path, PipeName 
| rename Computer AS dest 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Delete ShadowCopy with PowerShell 

To successfully implement this search, your deployment needs to ingest PowerShell logs from your endpoints.

This search is designed to detect a PowerShell command to delete a shadow copy using the WMIC PowerShell module. This technique is used to deploy DarkSide Ransomware, where it executes a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command can then be decrypted by PowerShell log.

| search (EventCode=4104 Message="*ShadowCopy*" (Message="*Delete*" OR Message="*Remove*") (source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational")) 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY EventCode Message ComputerName User 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Bulk creation of ransomware notes

• If you are using Sysmon to run this search, you need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
• Need more help with this search? Click here.

This search looks for instances where a large number of ransomware notes are files created in the infected machine. These notes often have file extensions of .txt, .html or .hta.

| search (EventCode=11 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) (file_name="*\.hta" OR file_name="*\.html" OR file_name="*\.txt"))
| stats min(_time) AS firstTime max(_time) AS lastTime dc(TargetFilename) AS unique_readme_path_count values(TargetFilename) AS list_of_readme_path BY Computer Image file_name
| where (unique_readme_path_count >= 50)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Windows possible credential dumping

To successfully implement this search, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints. 

This search identifies common GrantedAccess permission requests and CallTrace DLLs which you can use to detect credential dumping.

False positives from this search might occur based on GrantedAccess 0x1010 and 0x1400. You should filter based on source image as needed or remove them. Cobalt Strike usage of Mimikatz generates 0x1010 initially, but will later be caught.

| search (EventCode=10 TargetImage=*lsass.exe (CallTrace="*dbgcore.dll*" OR CallTrace="*dbghelp.dll*" OR CallTrace="*ntdll.dll*") (source=Syslog:Linux-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) (GrantedAccess="0x01000" OR GrantedAccess="0x1000" OR GrantedAccess="0x1010" OR GrantedAccess="0x1038" OR GrantedAccess="0x1400" OR GrantedAccess="0x1410" OR GrantedAccess="0x1438" OR GrantedAccess="0x143a" OR GrantedAccess="0x1fffff" OR GrantedAccess="0x40")) 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY Computer, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser 
| rename Computer AS dest 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)