Elastic Security Detection Rules

Potential Ransomware Note File Dropped via SMB

Last updated 6 months ago on 2025-02-14
Created a year ago on 2024-05-02

About

Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: ImpactData Source: Elastic DefendLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

Data Destruction (T1485)(opens in a new tab or window)

Inhibit System Recovery (T1490)(opens in a new tab or window)

Lateral Movement (TA0008)(opens in a new tab or window)

Remote Services (T1021)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.file-*logs-endpoint.events.network-*
Related Integrations

endpoint(opens in a new tab or window)

Query
sequence by host.id with maxspan=1s
 [network where host.os.type == "windows" and
  event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and
  source.ip != "127.0.0.1" and source.ip != "::1" and
  network.type == "ipv4" and not endswith(source.address, destination.address)]
 [file where host.os.type == "windows" and event.action == "creation" and
  process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and file.extension : ("hta", "txt", "readme", "htm*") and
  file.path : "C:\\Users\\*" and
   /* ransom file name keywords */
    file.name : ("*read*me*", "*lock*", "*@*", "*RECOVER*", "*decrypt*", "*restore*file*", "*FILES_BACK*", "*how*to*")] with runs=3

Install detection rules in Elastic Security

Detect Potential Ransomware Note File Dropped via SMB in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).