Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Help with creating a report and alert for Cryptolo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with creating a report and alert for Cryptolocker (or bulk file modification)
Hi guys
We were hit with Cryptolocker about 5 months ago, and since then, we have gone through a bit of an overhaul of our security infrastructure and processes. Included in this was installing and configuring Splunk to help with log file collection and reporting.
One thing I would like to do it create a report and alert based on basically what Crypto does - bulk file changes - as I know from experience that it will attack as many files on as many shares as it can find as quickly as possible.
Being a noob to Splunk, I was wondering if anyone has anything useful I could use as a basis for building this into our Splunk alerting and reporting? At the moment, I only have a basic search created, purely for testing as follows:
"EventCode=4663" WriteData | top limit=20 Account_Name | where count>20
Any help would be appreciated and help me learn a bit more.
cheers,
Brett
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What if you run that search you've got every hour and then if the count is greater than X it would register. So in your case you used:
where count>20
So if 100/hour is your threshold then run this every hour looking at last 60m where count greater than 100. Have it trigger alerts or feed into a summary index.
You could also get into stats like standard deviation etc. Lots of options. Standard deviation is probably your best bet because the user will be normaly writing 5/hr then jump to 50000/min or something.
Yeah check out the stats and eval commands. They will be your friends for this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've not made a detection mechanism for CryptoLocker in Splunk myself, but I've looked into the issue on one occasion earlier. What I found was that you can (on Windows machines) activate something called file auditing, which track changes on files. If you forward the logs from file auditing to Splunk you could make an alarm that triggers if there are e.g. more that x file changes over y minutes. Have a look at (1) the blog from Hacker Hurricane for more information about Splunk and CryptoLocker, and see (2) the blog from Splunk for information on file auditing in Windows.
(1) http://hackerhurricane.blogspot.no/2014/01/how-to-detect-cryptolocker-type-attack.html
(2) http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information. The current alert seems to be working I just need to tune to avoid too many false positives.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
