Suspicious File Changes Activity Detected
This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/03/20"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same
13process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and
14demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware
15attack is the mass encryption of the file system, after which a new file extension is added to the file.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Suspicious File Changes Activity Detected"
22risk_score = 47
23rule_id = "28738f9f-7427-4d23-bc69-756708b5f624"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"]
26type = "eql"
27query = '''
28sequence by host.id, process.entity_id with maxspan=1s
29 [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*"
30 and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or
31 (process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and
32 file.path : (
33 "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*",
34 "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not ((
35 process.name : (
36 "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
37 "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
38 "systemsettings", "vmis-launcher")) or file.path : "/etc/selinux/*" or (file.extension in ("qmlc", "txt")
39 ))] with runs=25
40'''
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44
45[[rule.threat.technique]]
46id = "T1486"
47name = "Data Encrypted for Impact"
48reference = "https://attack.mitre.org/techniques/T1486/"
49
50[rule.threat.tactic]
51id = "TA0040"
52name = "Impact"
53reference = "https://attack.mitre.org/tactics/TA0040/"
Related rules
- High Number of Process Terminations
- Hosts File Modified
- Potential Linux Ransomware Note Creation Detected
- Suspicious Data Encryption via OpenSSL Utility
- Suspicious Termination of ESXI Process