Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Network_Traffic, Risk, Web
- Last Updated: 2023-07-10
- Author: Teoderick Contreras, Splunk
- ID: b18259ac-0746-45d7-bd1f-81d65274a80b
Narrative
BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key.
Detections
| Name |
Technique |
Type |
| Allow File And Printing Sharing In Firewall |
Disable or Modify Cloud Firewall, Impair Defenses |
TTP |
| Allow Network Discovery In Firewall |
Disable or Modify Cloud Firewall, Impair Defenses |
TTP |
| Anomalous usage of 7zip |
Archive via Utility, Archive Collected Data |
Anomaly |
| CMD Echo Pipe - Escalation |
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process |
TTP |
| Cobalt Strike Named Pipes |
Process Injection |
TTP |
| DLLHost with no Command Line Arguments with Network |
Process Injection |
TTP |
| Detect Exchange Web Shell |
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services |
TTP |
| Detect PsExec With accepteula Flag |
Remote Services, SMB/Windows Admin Shares |
TTP |
| Detect Regsvr32 Application Control Bypass |
System Binary Proxy Execution, Regsvr32 |
TTP |
| Detect Renamed PSExec |
System Services, Service Execution |
Hunting |
| Detect Webshell Exploit Behavior |
Server Software Component, Web Shell |
TTP |
| Disabling Firewall with Netsh |
Disable or Modify Tools, Impair Defenses |
Anomaly |
| Excessive File Deletion In WinDefender Folder |
Data Destruction |
TTP |
| Excessive Service Stop Attempt |
Service Stop |
Anomaly |
| Exchange PowerShell Abuse via SSRF |
Exploit Public-Facing Application, External Remote Services |
TTP |
| Exchange PowerShell Module Usage |
Command and Scripting Interpreter, PowerShell |
TTP |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| Firewall Allowed Program Enable |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
| GPUpdate with no Command Line Arguments with Network |
Process Injection |
TTP |
| High Process Termination Frequency |
Data Encrypted for Impact |
Anomaly |
| MS Exchange Mailbox Replication service writing Active Server Pages |
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services |
TTP |
| Ping Sleep Batch Command |
Virtualization/Sandbox Evasion, Time Based Evasion |
Anomaly |
| ProxyShell ProxyNotShell Behavior Detected |
Exploit Public-Facing Application, External Remote Services |
Correlation |
| Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
| Resize ShadowStorage volume |
Inhibit System Recovery |
TTP |
| Rundll32 with no Command Line Arguments with Network |
System Binary Proxy Execution, Rundll32 |
TTP |
| SearchProtocolHost with no Command Line with Network |
Process Injection |
TTP |
| Services Escalate Exe |
Abuse Elevation Control Mechanism |
TTP |
| Suspicious DLLHost no Command Line Arguments |
Process Injection |
TTP |
| Suspicious Driver Loaded Path |
Windows Service, Create or Modify System Process |
TTP |
| Suspicious GPUpdate no Command Line Arguments |
Process Injection |
TTP |
| Suspicious MSBuild Rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
Hunting |
| Suspicious Process File Path |
Create or Modify System Process |
TTP |
| Suspicious Rundll32 StartW |
System Binary Proxy Execution, Rundll32 |
TTP |
| Suspicious Rundll32 no Command Line Arguments |
System Binary Proxy Execution, Rundll32 |
TTP |
| Suspicious SearchProtocolHost no Command Line Arguments |
Process Injection |
TTP |
| Suspicious microsoft workflow compiler rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities |
Hunting |
| Suspicious msbuild path |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
TTP |
| W3WP Spawning Shell |
Server Software Component, Web Shell |
TTP |
| Windows Driver Load Non-Standard Path |
Rootkit, Exploitation for Privilege Escalation |
TTP |
| Windows Drivers Loaded by Signature |
Rootkit, Exploitation for Privilege Escalation |
Hunting |
| Windows Exchange Autodiscover SSRF Abuse |
Exploit Public-Facing Application, External Remote Services |
TTP |
| Windows MSExchange Management Mailbox Cmdlet Usage |
Command and Scripting Interpreter, PowerShell |
Anomaly |
| Windows Modify Registry EnableLinkedConnections |
Modify Registry |
TTP |
| Windows Modify Registry LongPathsEnabled |
Modify Registry |
Anomaly |
| Windows RDP Connection Successful |
RDP Hijacking |
Hunting |
| Windows Raw Access To Disk Volume Partition |
Disk Structure Wipe, Disk Wipe |
Anomaly |
| Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe, Disk Wipe |
TTP |
| Windows Vulnerable Driver Loaded |
Windows Service |
Hunting |
Reference
source | version: 1