Skip to content
    March 19, 2021

    Product Update: Detect Indicators of a Ransomware Attack

    Blumira’s incident detection engineers continue to crank out the security detection rules, automatically rolled into our platform to help you detect and respond to the latest attacks.

    This week, they’ve added findings that can help you identify indicators of a potential ransomware attack in progress so you can act quickly to remediate. With these new detections, Blumira’s platform alerts you to malicious behavior, including:

    • Attackers using hacking tools to move laterally throughout your network
    • Attackers using common Windows features to hide their activity from other security solutions
    • Attackers modifying folders, potentially attempting to exfiltrate your data

    Blumira’s platform can provide near real-time detection and high-confidence alerts of attacker activity in your environment, in addition to playbooks to guide you through faster remediation. We surface contextual information to help with investigations and forensics, and our security team is available if you have further questions.

    As a result, you can automate your security operations to prevent and detect a ransomware data breach.

    Written by Incident Detection Engineer Brian Laskowski:

    Requirements: To get the security detections below, you will need to install and configure Microsoft System Monitor (Sysmon). See how in How to Enable Sysmon.

    Detection: Bitsadmin Download
    Bitsadmin is software built into the Windows operating system, used for downloading files. Threat actors can take advantage of the software to download their own malicious payloads. Blumira recommends organizations review the software that was downloaded and confirm that it is approved software in your environment.

    Most recently, this attack was called out in a FireEye report on ransomware actors. After initial access, an attacker deployed additional malware, using different techniques to establish a foothold. They installed a backdoor on the target host, and used BITS Jobs and remote PowerShell downloads to download other tools.

    MITRE: T1197, Tactics: Defense Evasion, Persistence

    Detection: Startup Folder LNK File
    Startup folders are commonly used to auto run programs on boot. Threat actors can take advantage of this behavior to achieve persistence. A common method to do this is to place a crafted LNK file that, when run, executes a program that the threat actor wants to start on boot. Blumira recommends collecting and reviewing what the LNK file points to execute on the system.

    MITRE: T1547.001, Tactics: Persistence, Privilege Escalation

    Detection: System Services: Service Execution with Lateral Movement Tools
    Many penetration testing tools have a feature in them that takes advantage of the features of PSEXEC for sending files over SMB and then executing them via a service. If you do find the user that initiated the service creation, they may potentially be compromised, and Blumira recommends locating all devices the user is logged in on and consider isolating them while performing further investigation.

    MITRE: T1569.002, Tactic: Execution

    Detection: Default Execution Flags for Cobalt Strike
    Cobalt Strike is a commercially available post-exploitation framework. While intended for use by authorized penetration testers, cracked versions of the software are abundant and its ease of use makes it a popular choice among cyber criminals. This tool has been seen used by red teams, APT actors, and ransomware threat actors.

    MITRE: T1059.001, Tactic: Execution

    Detection: Default Execution Flags for PoshC2
    Posh C2 is an open source post-exploitation framework. This means it is freely available to download and is used by a threat actor usually when they are ready to begin moving laterally and escalate to exploiting an Active Directory infrastructure. This tool has been seen used by red teams, APT actors, and ransomware threat actors.

    MITRE: T1059.001, Tactic: Execution

    Detection: Default Execution Flags PowerShell Empire
    PowerShell Empire is an open source post-exploitation framework. This means it is freely available to download and is used by a threat actor usually when they are ready to begin moving laterally and escalate to exploiting an Active Directory infrastructure. This tool has been seen used by red teams, APT actors, and ransomware threat actors.

    MITRE: T1059.001, Tactic: Execution

    Written by Sr. Incident Detection Engineer Bill Reyor:

    Detection: Watch Folder on Linux Host Accessed
    This alert is triggered when a customer-configured watch folder on a linux host is modified or interacted with. This type of potential attacker behavior is commonly used for data exfiltration. Blumira recommends identifying if the alert activity was authorized and expected, and if it was not, then to review the alert for the source user and consider initiating incident response activities around this potentially compromised user account.

    Requirements: To get this security detection, you must configure log forwarding by integrating Linux auditd with Blumira. See how in our Linux auditd documentation.

    MITRE: TA0010, Tactic: Exfiltration

    See our other detections added recently this month and last:

    Learn more by watching a demo or requesting a live demo. Or, sign up for a free trial and deploy Blumira’s cloud SIEM in hours.

    Thu Pham

    Thu has over 15 years of experience in the information security and technology industries. Prior to joining Blumira, she held both content and product marketing roles at Duo Security, leading go-to-market (GTM) and messaging for the portfolio solution Cisco Zero Trust. She holds a bachelor of science degree in...

    More from the blog

    View All Posts