Detection rules › Splunk
Common Ransomware Extensions
The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This activity is significant because it suggests an attacker is attempting to encrypt or alter files, potentially leading to severe data loss and operational disruption. If confirmed malicious, this activity could result in the encryption of critical data, rendering it inaccessible and causing significant damage to the organization's data integrity and availability.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1485 Data Destruction |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: tstats
tstats WHERE NOT Filesystem.file_name IN ("*.bat", "*.cmd", "*.com", "*.cpl", "*.dll", "*.doc", "*.docx", "*.exe", "*.gif", "*.jar", "*.jpeg", "*.jpg", "*.js", "*.lnk", "*.pif", "*.png", "*.ppt", "*.pptx", "*.ps1", "*.psm1", "*.scr", "*.sys", "*.txt", "*.vbs", "*.wsf", "*.xls", "*.xlsx") BY Filesystem.action, Filesystem.dest, Filesystem.file_access_time, Filesystem.file_create_time, Filesystem.file_hash, Filesystem.file_modify_time, Filesystem.file_name, Filesystem.file_path, Filesystem.file_acl, Filesystem.file_size, Filesystem.process_guid, Filesystem.process_id, Filesystem.user, Filesystem.vendor_product
Stage 2: search
search
Stage 3: rex
rex field=file_name ...
Stage 4: lookup
lookup <lookup> Extensions, Name, file_extension
Stage 5: search
search Name!=False
Stage 6: stats
stats dc(file_path) AS path_count, dc(file_path) AS file_count, … AS action, … AS file_access_time, … AS file_create_time, … AS file_hash, … AS file_modify_time, … AS file_acl, … AS file_size, … AS file_path, … AS process_guid, … AS process_id, … AS user, … AS vendor_product, … AS file_name, … AS file_extension, … AS Name BY dest
Stage 7: where
where (file_count>20 OR path_count>1)
Stage 8: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | file_name | in | "*.bat", "*.cmd", "*.com", "*.cpl", "*.dll", "*.doc", "*.docx", "*.exe", "*.gif", "*.jar", "*.jpeg", "*.jpg", "*.js", "*.lnk", "*.pif", "*.png", "*.ppt", "*.pptx", "*.ps1", "*.psm1", "*.scr", "*.sys", "*.txt", "*.vbs", "*.wsf", "*.xls", "*.xlsx" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Name | ne |
|
file_count | gt |
|
path_count | gt |
|