You would probably agree with me when I state that Software-as-a-Service (SaaS) is a great way to save money and buy peace of mind. Of course there is still some pain points, but by choosing the SaaS option, you save on hardware and development costs, you get a scalable solution easy to deploy, and a 24/7 (or close) support service.
Well, attackers too understood how good of a model this is! Since a few years now, instead of renting legitimate services, anyone can rent a malware, this is how the concept of Malware-as-a-Service was born.
Botnet, Keylogger, Ransomware (look also for Ransomware-as-a-service), pieces of code or advanced malware, anything can be found either on the dark web or simply on "normal" forums for less experimented users.
Once again, the IBM QRadar Endpoint Content Extension can help you implement efficient monitoring to detect suspicious behavior.
In this blog we are going to answer the following “How can I” questions with some of the scenarios included in the content pack.
How can I:
- Elevate the visibility of my SOC analysts on Malware-as-a-Service ?
- Detect Ryuk ransomware ?
- Get a quick overview on ransomware activity in my network?
The IBM QRadar Endpoint Content Extension has been optimized to work with Windows (Security event logs, Sysmon and PowerShell) and Linux (Auditd), but can be extended to other devices for which the same behaviors apply (ie: Mac OS, AIX, etc).
How can I elevate the visibility of my SOC analysts on Malware-as-a-Service ?
Today we’re having a look at the Ryuk ransomware. In the previous Anatomy of a Ransomware blog, we talked about the fact that most ransomware have a similar operating mode, and sometimes even common portions of code.
Ryuk is known to often make use of two trojans that appear to be malware that can be found “as a service”: Emotet and Trickbot.
These trojans are used to establish the communication with the C2 servers, propagate and persist in the network.
As almost anybody can use malware-as-a-service, it is important to have rules to catch them, and you can find 3 new ones related to it in the Endpoint content extension !
As we are working on dropper malware type, one of the rule we built is there to look for the download of another malware. The Malware as a Service Behaviour rule triggers when a download utility is used quickly after a file has been created in a path associated with Emotet and Trickbot.
|Apply BB:BehaviorDefinition: Malware as a Service Path IOC on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Operating System
and when the event category for the event is one of the following System.File Created, Audit.Object Access Success, Audit.File Access Success
and when the event matches REFERENCESETCONTAINS('Malware as a Service_Path', (CONCAT("File Directory", '\', "Filename"))) OR REFERENCESETCONTAINS('Malware as a Service_Path', "File Directory") AQL filter query
The two other rules are looking for hashes in events and flows and are prepopulated with Trickbot and Emotet MD5, SHA 1 and SHA 256.
The rules are really similar to the existing “Detection of Malicious IOC” rules in their filters, but are meant to trigger a dedicated response with the goal of increasing the visibility of the SOC analysts on what could be the beginning of a much greater attack.
How can I detect Ryuk ransomware ?
You know how! By installing the Endpoint content extension of course!
With all the rules we already talked about these last few months, you know you’re ready to detect the early phases for many ransomware, before even knowing which one it is exactly.
But in case Ryuk managed to move forward in its execution, we have additional rules that will help identifying it!
Ryuk indicators have been added to the following existing (of copied) rules:
- Ransomware Decryption Instructions Created
- Ransomware Encrypted File Extension
- Ransomware: Ryuk IOC in Events
- Ransomware: Ryuk IOC in Flows
Ryuk is known to have a list, a list of services that would prevent its normal functioning... So it is just killing them! The Ransomware: Ryuk Service or Process Termination rule is looking at that behavior
Apply Ransomware: Ryuk Service or Process Termination on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event category for the event is one of the following System.Process Creation Success
and when the event matches LOWER("Process Name") MATCHES '(net1|net|taskkill|sc|powershell|kill)\.(exe|bat)' AQL filter query
and when any of Terminated Process Name (custom) are contained in any of Ryuk Service and Process Termination List - AlphaNumeric (Ignore Case)
and when at least 3 events are seen with the same Process Name (custom) and different Terminated Process Name (custom) in 5 minutes
Here is the content of the reference set
How can I get a quick overview on ransomware activity in my network?
When dealing with ransomware, every minute is important in the incident response process, and getting a quick overview on what’s happening from the very beginning of the attack is essential. We understood that while writing the blog Ransomware: Get ready to respond !, so we decided to build a new dashboard!
The dashboard contains 8 widgets related to ransomware:
- 1 with statistics about the number of machines affected per rule,
- 1 with statistics about the number of alerts per machine
- 6 tables representing the six phases of an attack.
With this dashboard, the goal of the analysts would be to keep the end of it free from any alert.
Note: The dashboard queries on the rules we associate to each phase and is meant to be tuned as you believe is pertinent for your context.
The early phases’ rules are not necessarily ransomware alerts, but they are definitely suspicious and could be the indication of something that is preparing.
If you need any guidance on how to configure the Log Sources, Sysmon or Auditd, which custom properties to install, please refer to the Endpoint monitoring essentials for QRadar blog.
Once again the Endpoint content pack is here to give you tools to build your security environment and help the SOC analysts understand quicker what they are seeing in the alerts. Take the rules, adapt them, complete them with your own malicious behavior or IOC, add what is important to your environment and your use cases.
Please find our latest version of the IBM QRadar Endpoint Content Extension on the App Exchange and don't hesitate to give us any feedback or ideas, these packs are built for you, tell us what you need.
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.