Try in Splunk Security Cloud
Description
Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential indicators of compromise or ongoing threats. By implementing these search strategies, security analysts can effectively pinpoint anomalous activities, such as unusual file modifications, deviations in system behavior, that could potentially signify the presence or attempt of Rhysida Ransomware infiltration. These searches serve as pivotal tools in the arsenal against such threats, aiding in swift detection, investigation, and mitigation efforts to counter the impact of the Rhysida Ransomware or similar malicious entities.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2023-12-12
- Author: Teoderick Contreras, Splunk
- ID: 0925ee49-1185-4484-94ac-7867764a9183
Narrative
This story addresses Rhysida ransomware. Rhysida Ransomware emerges as a silent predator, infiltrating systems stealthily and unleashing havoc upon its victims. Employing sophisticated encryption tactics, it swiftly locks critical files and databases, holding them hostage behind an impenetrable digital veil. The haunting demand for ransom sends shockwaves through affected organizations, rendering operations inert and plunging them into a tumultuous struggle between compliance and resilience. Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.
Detections
Name |
Technique |
Type |
CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
Cmdline Tool Not Executed In CMD Shell |
Command and Scripting Interpreter, JavaScript |
TTP |
Common Ransomware Extensions |
Data Destruction |
Hunting |
Common Ransomware Notes |
Data Destruction |
Hunting |
Deleting Shadow Copies |
Inhibit System Recovery |
TTP |
Detect PsExec With accepteula Flag |
Remote Services, SMB/Windows Admin Shares |
TTP |
Detect Rare Executables |
|
Anomaly |
Detect Renamed PSExec |
System Services, Service Execution |
Hunting |
Detect Zerologon via Zeek |
Exploit Public-Facing Application |
TTP |
Disable Logs Using WevtUtil |
Indicator Removal, Clear Windows Event Logs |
TTP |
Domain Account Discovery With Net App |
Domain Account, Account Discovery |
TTP |
Domain Controller Discovery with Nltest |
Remote System Discovery |
TTP |
Domain Group Discovery With Net |
Permission Groups Discovery, Domain Groups |
Hunting |
Elevated Group Discovery With Net |
Permission Groups Discovery, Domain Groups |
TTP |
Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
High Process Termination Frequency |
Data Encrypted for Impact |
Anomaly |
Malicious Powershell Executed As A Service |
System Services, Service Execution |
TTP |
Modification Of Wallpaper |
Defacement |
TTP |
NLTest Domain Trust Discovery |
Domain Trust Discovery |
TTP |
Net Localgroup Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
TTP |
PowerShell 4104 Hunting |
Command and Scripting Interpreter, PowerShell |
Hunting |
Ransomware Notes bulk creation |
Data Encrypted for Impact |
Anomaly |
SAM Database File Access Attempt |
Security Account Manager, OS Credential Dumping |
Hunting |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
SecretDumps Offline NTDS Dumping Tool |
NTDS, OS Credential Dumping |
TTP |
Spike in File Writes |
|
Anomaly |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
Suspicious wevtutil Usage |
Clear Windows Event Logs, Indicator Removal |
TTP |
System User Discovery With Whoami |
System Owner/User Discovery |
Hunting |
WinRM Spawning a Process |
Exploit Public-Facing Application |
TTP |
Windows Modify Registry NoChangingWallPaper |
Modify Registry |
TTP |
Windows PowerView AD Access Control List Enumeration |
Domain Accounts, Permission Groups Discovery |
TTP |
Windows PowerView Constrained Delegation Discovery |
Remote System Discovery |
TTP |
Windows PowerView Kerberos Service Ticket Request |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
Windows PowerView SPN Discovery |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
Windows PowerView Unconstrained Delegation Discovery |
Remote System Discovery |
TTP |
Windows Rundll32 Apply User Settings Changes |
System Binary Proxy Execution, Rundll32 |
TTP |
Reference
source | version: 1