/
windows_high_file_deletion_frequency.yml
78 lines (78 loc) · 3.1 KB
/
windows_high_file_deletion_frequency.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
name: Windows High File Deletion Frequency
id: 45b125c4-866f-11eb-a95a-acde48001122
version: 2
date: '2024-03-05'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: Anomaly
description: This search identifies a high frequency of file deletions relative to the process
name and process ID. Such events typically occur when ransomware attempts to encrypt
files with specific extensions, leading Sysmon to treat the original files
as deleted as soon as they are replaced with encrypted data.
data_source:
- Sysmon EventID 23
- Sysmon EventID 26
search: '`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.cmd", "*.ini","*.gif", "*.jpg", "*.jpeg", "*.db", "*.ps1", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.bmp","*.zip", "*.rar", "*.7z", "*.chm", "*.png", "*.log", "*.vbs", "*.js", "*.vhd", "*.bak", "*.wbcat", "*.bkf" , "*.backup*", "*.dsk", "*.win") NOT TargetFilename IN ("*\\INetCache\\Content.Outlook\\*")
| stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid
| rename Image as process
| where count >=100
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_high_file_deletion_frequency_filter`'
how_to_implement: To successfully implement this search, you need to ingest logs that include the deleted target file name, process name, and process ID from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.
known_false_positives: Users may delete a large number of pictures or files in a folder, which could trigger this detection. Additionally, heavy usage of PowerBI and Outlook may also result in false positives.
references:
- https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft
- https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
tags:
analytic_story:
- Clop Ransomware
- DarkCrystal RAT
- Swift Slicer
- Data Destruction
- WhisperGate
- Sandworm Tools
asset_type: Endpoint
confidence: 80
impact: 90
message: Elevated file deletion rate observed from process [$process_name$] on machine $dest$
mitre_attack_id:
- T1485
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Endpoint
role:
- Victim
- name: deleted_files
type: File Name
role:
- Attacker
- name: process_name
type: Process
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- EventCode
- TargetFilename
- dest
- user
- Image
- ProcessID
- _time
risk_score: 72
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog