Threat Research

“Decoding Event Logs: Detecting Human-Operated Ransomware via Windows Event Logs – Insights from JPCERT/CC”

admin

Windows event logs can reveal traces of ransomware activity and help identify attack vectors in human-operated incidents. The article reviews Conti, Phobos, Midas, BadRabbit, and Bisamware, showing which Windows event IDs and logs are triggered during execution and how logs aid damage assessment and attribution. #Conti #Phobos #Midas #BadRabbit #Bisamware #JPCERTCC

Keypoints

  • The initial response to ransomware attacks is complicated by the difficulty in identifying the attack vector.
  • Windows event logs provide valuable information for identifying ransomware types and activity.
  • Four Windows event logs were analyzed: Application Log, Security Log, System Log, and Setup Log.
  • Ransomware types discussed include Conti, Phobos, Midas, BadRabbit, and Bisamware, each with distinctive event IDs.
  • Event IDs associated with each type demonstrate unique logging signatures, aiding identification.
  • Some ransomware share common event log characteristics, which can assist in grouping variants.
  • Investigating event logs can yield useful insights when other information is lost or encrypted.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Ransomware executes malicious code via various means, including exploiting vulnerabilities in software. [‘Ransomware often executes malicious code through various means, including exploiting vulnerabilities in software.’]
  • [T1547] Boot or Logon Autostart Execution – Ransomware may create or modify system services to maintain persistence on the infected system. [‘Some ransomware may create or modify system services to maintain persistence on the infected system.’]
  • [T1068] Privilege Escalation – Ransomware may exploit vulnerabilities to gain elevated privileges on the system. [‘Ransomware may exploit vulnerabilities to gain elevated privileges on the system.’]
  • [T1562] Defense Evasion – Ransomware can delete volume shadow copies to evade detection and hinder recovery efforts. [‘Ransomware can delete volume shadow copies to evade detection and hinder recovery efforts.’]
  • [T1486] Impact – Ransomware encrypts files to disrupt access to data, demanding ransom for decryption. [‘Ransomware encrypts files to disrupt access to data, demanding ransom for decryption.’]

Indicators of Compromise

  • [Event ID] Windows Event IDs observed during ransomware execution – Conti: 10000, 10001; Phobos: 612, 524, 753; BadRabbit: 7045; Bisamware: 1040, 1042; Common: 13, 10016
  • [File Name] cscc.dat – observed as a component installed for encryption during BadRabbit

Read more: https://blogs.jpcert.or.jp/en/2024/09/windows.html