Skip to content

Instantly share code, notes, and snippets.

@keyboardcrunch

keyboardcrunch/Detecting Ryuk with SentinelOne.md

Last active November 6, 2020 20:01
Show Gist options
  • Save keyboardcrunch/2ed0a6d4a3554788f666e56bd3c4bcaa to your computer and use it in GitHub Desktop.
Save keyboardcrunch/2ed0a6d4a3554788f666e56bd3c4bcaa to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Detecting Ryuk with SentinelOne.md

A few days back Red Canary dropped a blog post titled A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak that highlighted 10 detection opportunities for stopping the most recent Bazar/Ryuk ransomware infections. Below are the 10 SentinelOne Deep Visibility queries I've come up with for detecting the techniques.

1. Process hollowing of cmd.exe

T1055.012 Hollowing of cmd.exe

SrcProcParentName = "cmd.exe" AND SrcProcName In Anycase ("svchost.exe","explorer.exe","nltest.exe","net.exe") AND DstPort In ("443","53")

2. Enumerating domain trusts activity with nltest.exe

T1482 Domain Trust Discovery

TgtProcName = "nltest.exe" AND (TgtProcCmdLine ContainsCIS "domain_trusts" OR TgtProcCmdLine ContainsCIS "all_trusts" OR TgtProcCmdLine ContainsCIS "dclist")

3. Enumerating domain admins with net group

T1087 Domain Administrator Enumeration

TgtProcName In AnyCase ("net.exe","net1.exe") AND (TgtProcCmdLine ContainsCIS "domain admins" OR TgtProcCmdLine ContainsCIS "enterprise admins") AND SrcProcParentName Not In ("gpscript.exe")

4. Process hollowing of explorer.exe

T1055.012 Hollowing of Explorer or Svchost

(SrcProcParentName In AnyCase ("explorer.exe") AND SrcProcName In AnyCase ("svchost.exe")) OR ( SrcProcParentName Not In ("services.exe") AND SrcProcName In AnyCase ("svchost.exe") AND SrcProcCmdLine IS EMPTY )

5. Attempted lateral movement via WMI + PowerShell + Cobalt Strike

T1021 Lateral Movement WMI/PS/CS

SrcProcParentName In AnyCase ("WmiPrvse.exe") AND SrcProcName In AnyCase ("cmd.exe") AND TgtProcName In AnyCase ("powershell.exe") AND SrcProcUser Not In ("DOMAIN\svcServiceNowScan","DOMAIN\svcTenableScan") AND TgtProcCmdLine Does Not ContainCIS "C:\Windows\ccmcache"

6. Lateral movement via Cobalt Strike’s SMB PsExec module

T1021 Lateral Movement CS SMB

(SrcProcName In AnyCase ("rundll32.exe") AND SrcProcCmdLine IS EMPTY) OR (SrcProcName In AnyCase ("rundll32.exe") AND NetConnOutCount > "0" AND SrcProcParentName Not In ("splwow64.exe"))

7. Enumerating enterprise administrator accounts

See item 3.

8. Credential access using lsass from regsvr32

T1003.001 LSASS Memory Dump

TgtProcImageSha1 = "f0c52cea19c204f5cdbe952cc7cfc182e20d8d43" OR TgtProcCmdline ContainsCIS "-ma lsass.exe" OR TgtProcCmdline ContainsCIS "comsvcs.dll, MiniDump" OR TgtFilePath = "C:\Windows\Temp\dumpert.dmp" OR TgtFilePath RegExp "^.*lsass.*.DMP" OR ( SrcProcCmdline ContainsCIS "sekurlsa::minidump" OR SrcProcCmdline ContainsCIS "sekurlsa::logonpasswords" ) OR SrcProcCmdline ContainsCIS "live lsa"

9. Bloodhound execution

T1484 Bloodhound Enumeration

(TgtProcName = "regsvr32.exe" AND TgtProcCmdLine IS EMPTY AND NetConnOutCount > "0") OR (NetConnOutCount > "1000" AND DstPort = "445")

10. Adfind extracting information from Active Directory

T1069.002 Domain Groups Discovery

TgtProcDisplayName ContainsCIS "AdFind" OR TgtProcCmdLine ContainsCIS "trustdmp" OR TgtProcCmdLine ContainsCIS "-f \"(objectcategory="

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment