Ransomware attacks are a growing concern for individuals and organizations alike. Investigating these attacks on a device requires a thorough analysis of multiple logs and events to gain a complete understanding of their scope, origin, and impact. Here are some practical tips for investigating ransomware attacks effectively:
Security Event Logs (Event IDs)
4624: Successful Logon: One can check for suspicious logons, especially by unknown users.
4625: Failed Logon: Repeated failed login attempts may indicate brute-force attacks or that credentials have been stolen.
4688: Process Creation: Investigations of new process creation in regard to ransomware identification and its origin.
7045: Service Creation: All new services are investigated since some ransomware uses them.
5145 File Share: Monitor file share access, a common target for ransomware.
Firewall and Network Logs
Monitoring the firewall logs for any unusual outgoing traffic or any new connections to known malicious IP addresses.
Check the firewall configuration modification. Most attackers would add/delete rules to bypass the host firewall.
Look for incoming and outgoing network connection from infected device to other devices in the network. Indicator of Lateral Movement
Antivirus and EDR logs
Monitor for alerts or notifications from antivirus or EDR solutions.
Analysis of files quarantined by antivirus or EDR solutions, or activities deemed suspicious (+) (-) 30 mins.
Script Execution
Ransomware usually makes use of scripting languages, such as PowerShell, to execute themselves. Hence, monitoring of Event IDs corresponding to PowerShell or script execution, such as Event ID 400 and Event ID 4104, is carried out.
DNS Logs
Check the DNS logs for resolutions or requests of suspicious domains.
File Modification and Access Logs
Monitor the trends of file modifications and access to encrypted files.
Monitor changes in file extensions and timestamps.
Check the connected external drives for encryption.
1102 Event ID: Security Log Cleared
This could be the checking for unauthorized clearing of security logs, since most attackers try to clear their tracks.
User and Account Activity Logs
This would involve checking user account activity logs for any unusual activities or unauthorized user actions, like creating, modifying, or increasing privileges of any account.
Backup Logs
The backup system logs are analysed to determine whether the backups were tampered with or deleted by the ransomware.
The shadow copies deletion activity shall also be checked.
Remote-Desktop Protocol Logs
In case the RDP is enabled, then look for unauthorized access in the RDP logs.
Active Directory Logs and later movement check
Investigate the modifications of user accounts, group membership changes, organizational unit changes, etc., in the Active Directory logs, which could be related to the attack.
Lateral movement attacks should also be checked, such as Pass-the-hash, Pass-the-ticket, Golden/Silver/Sapphire/Diamond tickets, etc. attacks.
Disabled Security Tools
Ransomware often has the feature to disable or hamper antivirus and security software.
Conclusion: Investigating ransomware attacks demands a detailed approach, requiring a number of logs and events to enable the construction of an image of the whole incident. Careful investigation in security event logs, firewall and network logs, antivirus alerts, EDRs, script execution events, DNS queries, file modifications, and user activities will suffice in revealing vital details of the attack scope, origin, and impact.
It will also involve the checking of cleared security logs, backup and RDP logs, Active Directory changes scrutiny, and checking for disabled security tools. These shall be highly critical in the investigation process but will, to a great extent, help in understanding and mitigating the current attack and fortify your defenses against future threats.
While ransomware attacks can be paralyzing, deep investigation techniques combined with a security posture that is proactive to quite a large extent reverse the tables in minimizing the impact on your organization while generally enhancing its resilience. With these tips and by keeping an eye on continuously streamlining your investigation strategies, you'll be well ahead of any cybercriminals looking to compromise your valued data and systems.
Reference:
コメント