-
Notifications
You must be signed in to change notification settings - Fork 75
Expand file tree
/
Copy pathransomware_behavior_patterns.yml
More file actions
46 lines (44 loc) · 1.84 KB
/
Copy pathransomware_behavior_patterns.yml
File metadata and controls
46 lines (44 loc) · 1.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# Rule version v1.0.0
dataTypes:
- deceptive-bytes
name: Ransomware Behavior Detected in Deception Environment
impact:
confidentiality: 3
integrity: 3
availability: 3
category: Impact
technique: "T1486 - Data Encrypted for Impact"
adversary: origin
references:
- https://attack.mitre.org/techniques/T1486/
- https://attack.mitre.org/techniques/T1490/
- https://deceptivebytes.com/solution/
description: |
Detects ransomware-like behavior patterns when attackers interact with deceptive files, including rapid file enumeration, encryption attempts, and ransom note creation in the Deceptive Bytes deception environment.
Next Steps:
1. Immediately isolate the affected system from the network to prevent ransomware spread
2. Check the process name and path identified in the alert for known ransomware indicators
3. Review file system activity from the same process for encryption patterns
4. Check for shadow copy deletion attempts (vssadmin, wmic shadowcopy delete)
5. Look for network connections to potential C2 servers from the identified process
6. Preserve forensic evidence and memory dumps if possible
7. Verify if this is a deception environment interaction or production system compromise
8. Check for lateral movement attempts from the source IP address
9. Review backup integrity and availability before any restoration attempts
where: |
equals("log.event_type", "ransomware_behavior") &&
oneOf("log.behavior_pattern", ["mass_encryption", "file_enumeration", "ransom_note_drop"])
afterEvents:
- indexPattern: v11-log-deceptive-bytes-*
with:
- field: log.process
operator: filter_term
value: '{{.log.process}}'
- field: log.source_ip
operator: filter_term
value: '{{.log.source_ip}}'
within: 15m
count: 10
groupBy:
- lastEvent.log.hostname
- lastEvent.log.process