detection.wiki

ATT&CK coverage › Technique

Data Encrypted for Impact T1486

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

Events covered

8 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon5Process terminated
Sysmon7Image loaded
Sysmon11FileCreate
Security-Auditing4663An attempt was made to access an object.
Security-Auditing4688A new process has been created.
Defender-DeviceFileEvents9002001File created
Defender-DeviceInfo9008000Device inventory snapshot

Authoring guide

Patterns shared across the 15 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (12 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image5ends_with 4, match 3, starts_with 1\gpg.exe, \gpg2.exe, \Contacts\, \Temporary Internet, :\Perflogs\
OriginalFileName4eq 4RstrtMgr.dll, gpg.exe
ImageLoaded2ends_with 2\RstrtMgr.dll
TargetFilename2ends_with 1, match 1, eq 1\Desktop\, \Users\, .txt, *\\windows\\system32\\test.txt
span2eq 23s, 10s
EventID2eq 25, 11
Description1eq 1GnuPG’s OpenPGP tool
CommandLine1match 1/v, RecoveryKeyMessageSource, UseAdvancedStartup
count1ge 115
file_name1in 1"*\.txt", "*\.hta", "*\.html"
unique_readme_path_count1ge 115
"Filesystem.file_path"1eq 1C:\\*Ryuk*

Top indicator values (64 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
ImageLoadedends_with\RstrtMgr.dll22
OriginalFileNameeqRstrtMgr.dll22
OriginalFileNameeqgpg.exe22
Imageends_with\gpg.exe25
Imageends_with\gpg2.exe25
Imagematch:\Users\Public\114
Imagematch:\Perflogs\17
Imagematch\Favorites\16
Imagematch:\Users\13
Imagematch\Contacts\15
Imagematch\Temporary Internet12
Imagematch\Favourites\15
Imagestarts_withC:\$WinREAgent\'1
Imageends_with\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe1
Imagestarts_withC:\Users\'12
Imagestarts_withC:\Program Files (x86)\'1
Imagematch\AppData\Local\Temp\is-1
Imagestarts_withC:\Windows\WinSxS\'1
Imagestarts_withC:\Windows\SoftwareDistribution\'1
Imagestarts_withC:\Windows\Temp\'1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 6 rules

Splunk 4 rules

Kusto Query Language 5 rules