Skip to content

Changes for multi process ransomware #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 12, 2021
Merged

Changes for multi process ransomware #153

merged 4 commits into from
Jul 12, 2021

Conversation

@jonathan-buttner
Copy link
Collaborator

@jonathan-buttner jonathan-buttner commented Jun 7, 2021
edited
Loading

This PR includes some changes to the ransomware fields. Mainly we want to the whole Ransomware object to be reused for child_processes and I also added the pid and executable fields.
@jonathan-buttner jonathan-buttner mentioned this pull request Jun 7, 2021
Closed
@wburgess1
Copy link

Just as an FYI, this is an alert generated by my endpoint branch and custom ransomware artifact which implement the multi process ransomware which is useful to compare against the contents of this PR prior to merging:

Example multi process ransomware alert 
{ "@timestamp": "2021-06-16T17:10:30.464006Z", "Endpoint": { "policy": { "applied": { "artifacts": { "global": { "identifiers": [ { "name": "diagnostic-configuration-v1", "sha256": "23506a6bd14fedf78204a15eaecfea96513a844f57c324ea8f7f989942c0f1c9" }, { "name": "diagnostic-endpointpe-v4-blocklist", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }, { "name": "diagnostic-endpointpe-v4-exceptionlist", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }, { "name": "diagnostic-endpointpe-v4-model", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }, { "name": "diagnostic-malware-signature-v1-windows", "sha256": "61513f0467e0dc9d949d988f9735e9ab5ada179ceae5e81055e809794547af55" }, { "name": "diagnostic-ransomware-v1-windows", "sha256": "896c95280fd8a9557e4c35012e5a96fd53131393aaa30ac4be1ccf6ba5016f49" }, { "name": "diagnostic-rules-windows-v1", "sha256": "b132ad339d1f15b1b71b3db02526df3a792ac6a003d840b7d63d4b4aa3a99a34" }, { "name": "endpointpe-v4-blocklist", "sha256": "896ca37d891f15550506578c47e39568837f5cc6cd86655640b923fe386b8cd1" }, { "name": "endpointpe-v4-exceptionlist", "sha256": "9a647218b22e72cd5f7eeecad621f3b5604a59551e6bc34947a600e04f1c43b9" }, { "name": "endpointpe-v4-model", "sha256": "f591b00a1162a79e0669b2006a95019bad91b537679ac6e3461ee06dd43b863e" }, { "name": "global-exceptionlist-windows", "sha256": "e5980c4c34c9ef0bd3d171754807d700fe7bfbb6c55c6fe369086933ac49dd6d" }, { "name": "global-trustlist-windows-v1", "sha256": "d9589e64b76fcd6f021424ca96f8160409566c50e7a395b2a4e22d7d532ac265" }, { "name": "production-malware-signature-v1-windows", "sha256": "43e6d50fb0d89b920b1618bdccdcc441e0272622baadfa5bba18207db26f3fd2" }, { "name": "production-ransomware-v1-windows", "sha256": "075f37f6e9081eaf75a387526f4c907ee3870fb11372278e429988306c59d385" } ], "version": "0622NLT33X" }, "user": { "identifiers": [ { "name": "endpoint-eventfilterlist-windows-v1", "sha256": "6122af1927f4ab869c8281cb52079c956f49978fea62299af51778cec6441ec9" }, { "name": "endpoint-exceptionlist-windows-v1", "sha256": "d12789f634623786e0e72c13a22710afc4dc722f142003008a719b71b9b2164c" }, { "name": "endpoint-trustlist-windows-v1", "sha256": "0c10a80c47b133248c1517fb0d517b8a387e61fdc392fb022ad069d3d09b926b" } ], "version": "1.0.0" } } } } }, "Ransomware": { "feature": "behavior", "files": [ { "data": "706172616D285B506172616D65746572", "entropy": 4.91867353402487, "extension": "ps1", "operation": "creation", "path": "c:\\git\\endpoint@dev\\python\\runtime\\failed_test_logs\\20210616_130543\\test_ransomware_behavior_multi_process_ransomware\\mockransomware\\benign.ps1", "score": 0.0 }, { "data": "696D706F7274207379730A696D706F72", "entropy": 4.65022504063552, "extension": "py", "operation": "creation", "path": "c:\\git\\endpoint@dev\\python\\runtime\\failed_test_logs\\20210616_130543\\test_ransomware_behavior_multi_process_ransomware\\mockransomware\\benign.py", "score": 0.0 }, { "data": "706172616D285B506172616D65746572", "entropy": 4.61718635292503, "extension": "ps1", "operation": "creation", "path": "c:\\git\\endpoint@dev\\python\\runtime\\failed_test_logs\\20210616_130543\\test_ransomware_behavior_multi_process_ransomware\\mockransomware\\mock_ransomware.ps1", "score": 0.0 } ], "score": 100.0, "version": "1.1.2" }, "RansomwareChildProcesses": [ { "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "feature": "behavior", "files": [ { "data": "B47B033FFDA3F3BD0FD12D2F889AD329", "entropy": 7.82025182329354, "extension": "doc", "metrics": [ "HEADER_MISMATCH", "ENTROPY_MISMATCH_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\afhsfzdbco.doc", "score": 0.0 }, { "data": "94FC288ED96089F57B09EA75CA2DF36B", "entropy": 7.79965508060867, "extension": "doc", "metrics": [ "HEADER_MISMATCH", "ENTROPY_MISMATCH_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\ajfsklljeh.doc", "score": 0.0 }, { "data": "20E7FEE9007E4919F31BDAA3DC2F295A", "entropy": 7.80628371695001, "extension": "docx", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\asuupdydpg.docx", "score": 0.05 }, { "data": "9F7ADC086288B7DB8333C92E6AB20758", "entropy": 7.81041958025884, "extension": "gif", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\boznvwdgtp.gif", "score": 0.05 }, { "data": "BD493AA9D2C4A4AFF77813FF3E06EA1E", "entropy": 7.80678032681998, "extension": "doc", "metrics": [ "HEADER_MISMATCH", "ENTROPY_MISMATCH_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\calmfttafh.doc", "score": 0.0 }, { "data": "DD90A2BB83714F97C79ED5EB75F5CB18", "entropy": 7.80621633646618, "extension": "doc", "metrics": [ "HEADER_MISMATCH", "ENTROPY_MISMATCH_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\ckovilqpob.doc", "score": 0.0 }, { "data": "084D4F434B5445535441414141414141", "entropy": 0.0492807752667838, "extension": "txt", "operation": "modification", "path": "c:\\tmp\\ransomware_target\\dktsmgafbe.txt", "score": 0.0 }, { "data": "32516355A5901518F9B55A5CCCEE17D1", "entropy": 7.81163821297746, "extension": "gif", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\dpvyhpxkic.gif", "score": 0.05 }, { "data": "084D4F434B5445535441414141414141", "entropy": 0.0492807752667838, "extension": "txt", "operation": "modification", "path": "c:\\tmp\\ransomware_target\\dyhldnhvqt.txt", "score": 0.0 }, { "data": "084D4F434B5445535441414141414141", "entropy": 0.0492807752667838, "extension": "txt", "operation": "modification", "path": "c:\\tmp\\ransomware_target\\ecycmlivld.txt", "score": 0.0 }, { "data": "084D4F434B5445535441414141414141", "entropy": 0.0492807752667838, "extension": "txt", "operation": "modification", "path": "c:\\tmp\\ransomware_target\\ezehsxbxkn.txt", "score": 0.0 }, { "data": "084D4F434B5445535441414141414141", "entropy": 0.0492807752667838, "extension": "txt", "operation": "modification", "path": "c:\\tmp\\ransomware_target\\fpmgnsorao.txt", "score": 0.0 }, { "data": "EEFB24BEF102BB2AF5552429FED25E16", "entropy": 7.80484447102365, "extension": "docx", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\gbnxkgjqyo.docx", "score": 0.05 }, { "data": "F8CE140AC0873B7C6DABEF0C89F19D47", "entropy": 7.80061216114837, "extension": "jpg", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\gmilrewhsi.jpg", "score": 0.05 }, { "data": "91E2BA9C9795C19DF6BCAEFF3A2467F4", "entropy": 7.81186790689136, "extension": "docx", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\grqufvqxdt.docx", "score": 0.05 }, { "data": "AB2D7ADF6061765DF2C31B5EB4A3E9BE", "entropy": 7.80687648822908, "extension": "pdf", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\gtmatrebfn.pdf", "score": 1.55 }, { "data": "69DBD172278FBB961A1DC14343BC4306", "entropy": 7.80804552161301, "extension": "gif", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\gzauekwsvs.gif", "score": 1.55 }, { "data": "A3AC6C27918EC64F8C998C1685E710ED", "entropy": 7.80842600620234, "extension": "pdf", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\hfbdudzagw.pdf", "score": 1.55 }, { "data": "3E5DD0F0C60F89CB70B6CB84A93A01A3", "entropy": 7.80763697705832, "extension": "docx", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\hkymnfewlv.docx", "score": 1.55 }, { "data": "7D2840A7DB06D2D0747947F5100976F3", "entropy": 7.8129264131293, "extension": "pdf", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\hpftiyavaq.pdf", "score": 1.55 }, { "data": "3B1EA989ECF520F9118F80EEE1F5276D", "entropy": 7.81193108064904, "extension": "jpg", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\hxsroojwhj.jpg", "score": 1.55 }, { "data": "F432F8962239D940587123AD4CC3F449", "entropy": 7.80134713714126, "extension": "pdf", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\iqgfwaozyw.pdf", "score": 1.55 }, { "data": "7182E11A0902E95FEE5C63A87991F47D", "entropy": 7.81373230357734, "extension": "doc", "metrics": [ "HEADER_MISMATCH", "ENTROPY_MISMATCH_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\jhzzvffgyf.doc", "score": 1.5 }, { "data": "084D4F434B5445535441414141414141", "entropy": 0.0492807752667838, "extension": "txt", "operation": "modification", "path": "c:\\tmp\\ransomware_target\\jmbotkmqyo.txt", "score": 0.0 }, { "data": "1C636AE9AFD3A99689D36E4FE9EE5E91", "entropy": 7.80964780108246, "extension": "pdf", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\jrhluhspyj.pdf", "score": 1.55 }, { "data": "122546B81CFADF4BC1B891E42CCAD635", "entropy": 7.81104632912479, "extension": "docx", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\jvxcqugera.docx", "score": 1.55 }, { "data": "975F5A28956A0E4C59D2BFEA6C0DAF22", "entropy": 7.80512097464132, "extension": "docx", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\kfzylqqvlo.docx", "score": 1.55 } ], "pid": 16588, "score": 18.85, "version": "1.1.2" }, { "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "feature": "behavior", "files": [ { "data": "324C9D360825E711B19E3E1215673EED", "entropy": 7.82415725682009, "extension": "doc", "metrics": [ "HEADER_MISMATCH", "ENTROPY_MISMATCH_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\afhsfzdbco.doc", "score": 0.0 }, { "data": "51368044CB406D7F5FF2A1213F465052", "entropy": 7.79997421201377, "extension": "doc", "metrics": [ "HEADER_MISMATCH", "ENTROPY_MISMATCH_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\ajfsklljeh.doc", "score": 0.0 }, { "data": "D7AF86AD29C5670F5D5C90DC46565049", "entropy": 7.80585255342209, "extension": "docx", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\asuupdydpg.docx", "score": 0.05 }, { "data": "B9394248ECFE367688D470EC6BD8FEC5", "entropy": 7.80602698501816, "extension": "gif", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\boznvwdgtp.gif", "score": 0.05 }, { "data": "8D08B4F2C7668D8BDEAAA5E810E0786A", "entropy": 7.80097729849681, "extension": "doc", "metrics": [ "HEADER_MISMATCH", "ENTROPY_MISMATCH_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\calmfttafh.doc", "score": 0.0 }, { "data": "C9C757743EDD65A37E114A8E4AD28698", "entropy": 7.8018427188698, "extension": "doc", "metrics": [ "HEADER_MISMATCH", "ENTROPY_MISMATCH_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\ckovilqpob.doc", "score": 0.0 }, { "data": "084D4F434B5445535441414141414141", "entropy": 0.0492807752667838, "extension": "txt", "operation": "modification", "path": "c:\\tmp\\ransomware_target\\dktsmgafbe.txt", "score": 0.0 }, { "data": "D8D07AD300BDEE68F2F5834200C692CF", "entropy": 7.80916257780317, "extension": "gif", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\dpvyhpxkic.gif", "score": 0.05 }, { "data": "084D4F434B5445535441414141414141", "entropy": 0.0492807752667838, "extension": "txt", "operation": "modification", "path": "c:\\tmp\\ransomware_target\\dyhldnhvqt.txt", "score": 0.0 }, { "data": "084D4F434B5445535441414141414141", "entropy": 0.0492807752667838, "extension": "txt", "operation": "modification", "path": "c:\\tmp\\ransomware_target\\ecycmlivld.txt", "score": 0.0 }, { "data": "084D4F434B5445535441414141414141", "entropy": 0.0492807752667838, "extension": "txt", "operation": "modification", "path": "c:\\tmp\\ransomware_target\\ezehsxbxkn.txt", "score": 0.0 }, { "data": "084D4F434B5445535441414141414141", "entropy": 0.0492807752667838, "extension": "txt", "operation": "modification", "path": "c:\\tmp\\ransomware_target\\fpmgnsorao.txt", "score": 0.0 }, { "data": "4CEC6090AF32DF38063A4F6FBE86E391", "entropy": 7.80963133982555, "extension": "docx", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\gbnxkgjqyo.docx", "score": 0.05 }, { "data": "A75E6BB4897581832062855C8D444AE2", "entropy": 7.81697033432027, "extension": "jpg", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\gmilrewhsi.jpg", "score": 0.05 }, { "data": "7C42664754629A23A00026947511C4E2", "entropy": 7.80395162369309, "extension": "docx", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\grqufvqxdt.docx", "score": 0.05 }, { "data": "7F641930A81002D8BC07F3A58A8910C5", "entropy": 7.80822535013927, "extension": "pdf", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\gtmatrebfn.pdf", "score": 1.55 }, { "data": "13413AB528498324407B74FF4B9E437B", "entropy": 7.80397009446735, "extension": "gif", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\gzauekwsvs.gif", "score": 1.55 }, { "data": "0566FCA2F790562D419A0008F658563D", "entropy": 7.79986130947795, "extension": "pdf", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\hfbdudzagw.pdf", "score": 1.55 }, { "data": "CAC185BD53051BD829FC347938E41908", "entropy": 7.80009727154086, "extension": "docx", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\hkymnfewlv.docx", "score": 1.55 }, { "data": "033D411423121238B2FDCA976DD0DE1C", "entropy": 7.81092314672095, "extension": "pdf", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\hpftiyavaq.pdf", "score": 1.55 }, { "data": "144AD4F3A3E8B36404A8B50DA1304BAD", "entropy": 7.80648597970729, "extension": "jpg", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\hxsroojwhj.jpg", "score": 1.55 }, { "data": "91C8313B7558AC5EE9C2FF03742BE06E", "entropy": 7.80626280593744, "extension": "pdf", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\iqgfwaozyw.pdf", "score": 1.55 }, { "data": "C8DA473F345A53D77D64F95EDD778F36", "entropy": 7.82255864326778, "extension": "doc", "metrics": [ "HEADER_MISMATCH", "ENTROPY_MISMATCH_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\jhzzvffgyf.doc", "score": 1.5 }, { "data": "084D4F434B5445535441414141414141", "entropy": 0.0492807752667838, "extension": "txt", "operation": "modification", "path": "c:\\tmp\\ransomware_target\\jmbotkmqyo.txt", "score": 0.0 }, { "data": "E369D39136D35CF0189E8B4A1AC3A723", "entropy": 7.80920713748299, "extension": "pdf", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\jrhluhspyj.pdf", "score": 1.55 }, { "data": "71649FA12622DC8EC5955D284837DA51", "entropy": 7.81595341146799, "extension": "docx", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\jvxcqugera.docx", "score": 1.55 }, { "data": "E48133B09CC5D9732F01FF4725ABF508", "entropy": 7.80815891969444, "extension": "docx", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\kfzylqqvlo.docx", "score": 1.55 }, { "data": "D7CCC386FCA84CDEF52ECE9C34142AC5", "entropy": 7.80034868800373, "extension": "gif", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\kgrakibyuy.gif", "score": 1.55 }, { "data": "F1BEDFB4E4E391A1B7D425C2B85AD764", "entropy": 7.80504661343915, "extension": "gif", "metrics": [ "HEADER_MISMATCH", "ENTROPY_VERY_HIGH" ], "operation": "modification", "path": "c:\\tmp\\ransomware_target\\kihexzkqye.gif", "score": 1.55 } ], "pid": 4344, "score": 20.4, "version": "1.1.2" } ], "agent": { "build": { "original": "version: 8.0.0-SNAPSHOT, compiled: Thu Jun 10 11:09:59 2021, branch: master, commit: 55b453ebfb0e5c98f4955a89dafda9a5a2f0149b" }, "id": "85346333-1027-c2b4-476d-fadc3756d09f", "type": "endpoint", "version": "8.0.0-SNAPSHOT" }, "data_stream": { "dataset": "endpoint.diagnostic.collection", "namespace": "default", "type": ".logs" }, "ecs": { "version": "1.6.0" }, "elastic": { "agent": { "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" } }, "event": { "action": "files-encrypted", "category": [ "malware", "intrusion_detection", "process", "file" ], "code": "ransomware", "created": "2021-06-16T17:10:30.464006Z", "dataset": "endpoint.diagnostic.collection", "id": "MAcjdQ4p97WKyk8Y++++++Pp", "kind": "alert", "module": "endpoint", "risk_score": 99, "sequence": 8039, "severity": 99, "type": [ "info", "start", "change", "allowed" ] }, "host": { "architecture": "x86_64", "hostname": "DESKTOP-AR44836", "id": "dabadaba-0000-0000-0000-000000000000", "ip": [ "172.16.141.138", "172.16.0.186", "fe80::1485:5ec0:9cd:e978", "127.0.0.1", "::1" ], "mac": [ "00:0c:29:b9:3a:cb", "00:0c:29:b9:3a:d5" ], "name": "DESKTOP-AR44836", "os": { "Ext": { "variant": "Windows 10 Pro" }, "family": "windows", "full": "Windows 10 Pro 2004 (10.0.19041.928)", "kernel": "2004 (10.0.19041.928)", "name": "Windows", "platform": "windows", "version": "2004 (10.0.19041.928)" } }, "message": "Ransomware Detection Alert", "process": { "Ext": { "ancestry": [ "ODUzNDYzMzMtMTAyNy1jMmI0LTQ3NmQtZmFkYzM3NTZkMDlmLTEzNjAtMTMyNjgzMzY3MzkuNDY5MTcyNjAw", "ODUzNDYzMzMtMTAyNy1jMmI0LTQ3NmQtZmFkYzM3NTZkMDlmLTIyNTItMTMyNjgzMzY3MzkuNDUzOTMxOTAw", "ODUzNDYzMzMtMTAyNy1jMmI0LTQ3NmQtZmFkYzM3NTZkMDlmLTkzOTItMTMyNjY1OTc5MTguODYxNTAwOTAw" ], "architecture": "x86_64", "code_signature": [ { "exists": true, "status": "trusted", "subject_name": "Python Software Foundation", "trusted": true } ], "token": { "domain": "DESKTOP-AR44836", "elevation": true, "elevation_type": "full", "integrity_level_name": "high", "sid": "S-1-5-21-3617526937-2723300710-1144210454-1000", "user": "William Burgess" }, "user": "William Burgess" }, "args": [ "C:\\Python3\\python.exe", "C:\\GIT\\endpoint-dev\\Python\\endpoint\\venv\\Scripts\\pytest.exe", "-v", "endpoint/test/test_ransomware.py::RansomwareTests::test_ransomware_behavior_multi_process_ransomware" ], "args_count": 4, "command_line": "C:\\Python3\\python.exe \"C:\\GIT\\endpoint-dev\\Python\\endpoint\\venv\\Scripts\\pytest.exe\" -v endpoint/test/test_ransomware.py::RansomwareTests::test_ransomware_behavior_multi_process_ransomware", "entity_id": "ODUzNDYzMzMtMTAyNy1jMmI0LTQ3NmQtZmFkYzM3NTZkMDlmLTgxODQtMTMyNjgzMzY3MzkuNDkxMDg0MTAw", "executable": "C:\\Python3\\python.exe", "hash": { "md5": "14f7691ff32c19c21500e26ee3492688", "sha1": "06b991edca892c8e17da2b33eef05b9f01c9ec1e", "sha256": "052f8b35eee3a2b59ca479cf5a9f2d95c08f2394f1730d0233cc79c5cebaa3df" }, "name": "python.exe", "parent": { "Ext": { "architecture": "x86_64", "code_signature": [ { "exists": true, "status": "trusted", "subject_name": "Python Software Foundation", "trusted": true } ], "user": "William Burgess" }, "args": [ "c:\\git\\endpoint-dev\\python\\endpoint\\venv\\scripts\\python.exe", "C:\\GIT\\endpoint-dev\\Python\\endpoint\\venv\\Scripts\\pytest.exe", "-v", "endpoint/test/test_ransomware.py::RansomwareTests::test_ransomware_behavior_multi_process_ransomware" ], "args_count": 4, "command_line": "\"c:\\git\\endpoint-dev\\python\\endpoint\\venv\\scripts\\python.exe\" \"C:\\GIT\\endpoint-dev\\Python\\endpoint\\venv\\Scripts\\pytest.exe\" -v endpoint/test/test_ransomware.py::RansomwareTests::test_ransomware_behavior_multi_process_ransomware", "entity_id": "ODUzNDYzMzMtMTAyNy1jMmI0LTQ3NmQtZmFkYzM3NTZkMDlmLTEzNjAtMTMyNjgzMzY3MzkuNDY5MTcyNjAw", "executable": "C:\\GIT\\endpoint-dev\\Python\\endpoint\\venv\\Scripts\\python.exe", "hash": { "md5": "a9f02ed313218f22c7834b91139bfe6e", "sha1": "2f828dfbc88b88176010c70dd49ead1c81044ccd", "sha256": "a472a9f70621ffc769109ca47edf3e55d67c3d7ed2e2e1883445f73675aba795" }, "name": "python.exe", "pid": 1360, "ppid": 2252, "start": 1623863139, "uptime": 291 }, "pe": { "company": "Python Software Foundation", "description": "Python", "file_version": "3.8.5", "original_file_name": "python.exe", "product": "Python" }, "pid": 8184, "start": 1623863139, "uptime": 291 }, "rule": { "ruleset": "diagnostic" }, "user": { "domain": "DESKTOP-AR44836", "name": "William Burgess" } }``` </details>
ruflin
ruflin reviewed Jun 17, 2021
View reviewed changes
jonathan-buttner
jonathan-buttner commented Jun 23, 2021
View reviewed changes
custom_schemas/custom_ransomware.yml
type: keyword
description: Ransomware artifact version.

- name: child_pids
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wburgess1 just want to confirm that this field was never populated by the endpoint and that we want to remove it.
Copy link

@wburgess1 wburgess1 Jun 23, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @magermark for visibility. Yea to confirm this was never populated by the endpoint. We added it to the schema in anticipation of needing to get better visibility around child processes a few months back but never got around to populating it. The Ransomware.child_processes introduced in this PR is the better solution in any case and so child_pids is now irrelevant 👍
@jonathan-buttner jonathan-buttner changed the title POC for multi process ransomware Changes for multi process ransomware Jun 23, 2021
@jonathan-buttner jonathan-buttner requested a review from pzl June 23, 2021 17:47
wburgess1
wburgess1 approved these changes Jun 28, 2021
View reviewed changes
Copy link

@wburgess1 wburgess1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I sanity checked new additions with existing schema // my changes in the endpoint and it LGTM.
@jonathan-buttner jonathan-buttner merged commit 0b4a9d7 into master Jul 12, 2021
@jonathan-buttner jonathan-buttner deleted the multi-process-rans-poc branch July 12, 2021 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

4 participants

@jonathan-buttner @wburgess1 @ruflin