Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with creating a report and alert for Cryptolocker (or bulk file modification)

bretmorr
New Member
‎01-07-2016 05:49 PM

Hi guys

We were hit with Cryptolocker about 5 months ago, and since then, we have gone through a bit of an overhaul of our security infrastructure and processes. Included in this was installing and configuring Splunk to help with log file collection and reporting.
One thing I would like to do it create a report and alert based on basically what Crypto does - bulk file changes - as I know from experience that it will attack as many files on as many shares as it can find as quickly as possible.

Being a noob to Splunk, I was wondering if anyone has anything useful I could use as a basis for building this into our Splunk alerting and reporting? At the moment, I only have a basic search created, purely for testing as follows:

"EventCode=4663" WriteData | top limit=20 Account_Name | where count>20

Any help would be appreciated and help me learn a bit more.
cheers,
Brett

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎01-14-2016 05:54 PM

What if you run that search you've got every hour and then if the count is greater than X it would register. So in your case you used:

  where count>20

So if 100/hour is your threshold then run this every hour looking at last 60m where count greater than 100. Have it trigger alerts or feed into a summary index.

You could also get into stats like standard deviation etc. Lots of options. Standard deviation is probably your best bet because the user will be normaly writing 5/hr then jump to 50000/min or something.

Yeah check out the stats and eval commands. They will be your friends for this.

0 Karma
Reply

hettervik
Builder
‎01-07-2016 11:50 PM

Hi,

I've not made a detection mechanism for CryptoLocker in Splunk myself, but I've looked into the issue on one occasion earlier. What I found was that you can (on Windows machines) activate something called file auditing, which track changes on files. If you forward the logs from file auditing to Splunk you could make an alarm that triggers if there are e.g. more that x file changes over y minutes. Have a look at (1) the blog from Hacker Hurricane for more information about Splunk and CryptoLocker, and see (2) the blog from Splunk for information on file auditing in Windows.

(1) http://hackerhurricane.blogspot.no/2014/01/how-to-detect-cryptolocker-type-attack.html
(2) http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/

0 Karma
Reply

bretmorr
New Member
‎01-14-2016 04:15 PM

Thanks for the information. The current alert seems to be working I just need to tune to avoid too many false positives.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...