topic Re: Help with creating a report and alert for Cryptolocker (or bulk file modification) in Alerting

Help with creating a report and alert for Cryptolocker (or bulk file modification)

bretmorr — Fri, 08 Jan 2016 01:49:45 GMT

Hi guys

We were hit with Cryptolocker about 5 months ago, and since then, we have gone through a bit of an overhaul of our security infrastructure and processes. Included in this was installing and configuring Splunk to help with log file collection and reporting.
One thing I would like to do it create a report and alert based on basically what Crypto does - bulk file changes - as I know from experience that it will attack as many files on as many shares as it can find as quickly as possible.

Being a noob to Splunk, I was wondering if anyone has anything useful I could use as a basis for building this into our Splunk alerting and reporting? At the moment, I only have a basic search created, purely for testing as follows:

"EventCode=4663" WriteData | top limit=20 Account_Name | where count>20

Any help would be appreciated and help me learn a bit more.
cheers,
Brett

Re: Help with creating a report and alert for Cryptolocker (or bulk file modification)

hettervik — Fri, 08 Jan 2016 07:50:53 GMT

Hi,

I've not made a detection mechanism for CryptoLocker in Splunk myself, but I've looked into the issue on one occasion earlier. What I found was that you can (on Windows machines) activate something called file auditing, which track changes on files. If you forward the logs from file auditing to Splunk you could make an alarm that triggers if there are e.g. more that x file changes over y minutes. Have a look at (1) the blog from Hacker Hurricane for more information about Splunk and CryptoLocker, and see (2) the blog from Splunk for information on file auditing in Windows.

(1) http://hackerhurricane.blogspot.no/2014/01/how-to-detect-cryptolocker-type-attack.html
(2) http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/

Re: Help with creating a report and alert for Cryptolocker (or bulk file modification)

bretmorr — Fri, 15 Jan 2016 00:15:52 GMT

Thanks for the information. The current alert seems to be working I just need to tune to avoid too many false positives.

Re: Help with creating a report and alert for Cryptolocker (or bulk file modification)

jkat54 — Fri, 15 Jan 2016 01:54:44 GMT

What if you run that search you've got every hour and then if the count is greater than X it would register. So in your case you used:

  where count>20

So if 100/hour is your threshold then run this every hour looking at last 60m where count greater than 100. Have it trigger alerts or feed into a summary index.

You could also get into stats like standard deviation etc. Lots of options. Standard deviation is probably your best bet because the user will be normaly writing 5/hr then jump to 50000/min or something.

Yeah check out the stats and eval commands. They will be your friends for this.