Working with command line
Sometimes, filecoder malware uses a legitimate program to encrypt and delete user files. RAR archiver can be such a program, so we want to create a rule to monitor the execution of the RAR archiver with specific parameters used to encrypt the archive file and delete source files.
Rules
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>RAR Encrypts and Deletes Files [B0601]</name> <category>Ransomware / Filecoders</category> <os>Windows</os> <severity>84</severity> <mitreattackid>T1560.001,T1486</mitreattackid> <explanation>A RAR archiver was executed, instructed to password-protect an archive, and delete the source files. If the user isn't aware of the activity, it may indicate ransomware activity.</explanation> <benignCauses>It can be a legitimate action of the user to protect data by encrypting it.</benignCauses> <maliciousCauses>Used by some filecoders to encrypt and delete a user's data.</maliciousCauses> <recommendedActions>1. Investigate the activity: * Is it a single activity or a sequence? * What is the count and type of files involved? * Was it initiated by the user or not? 2. What process initiated the activity? * Is it a well known and trusted program? * Is it signed by a trustworthy vendor? * Scan it with your Antivirus product or check its reputation and popularity directly in the Inspect console. * If suspicious, submit the program for further analysis. 3. Use the password from command line logged by Inspect to recover the encrypted files.</recommendedActions> </description> <definition> <process> <operator type="AND"> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="rar"/> <operator type="AND"> <operator type="OR"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="-p"/> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="-hp"/> </operator> <operator type="OR"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="-df"/> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="-dw"/> </operator> </operator> </operator> </process> </definition> <maliciousTarget name="parent"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> <action name="SubmitParentToLiveGuard"/> </actions> </rule> |
Things to notice in the rule example above:
1.CommandLine property is used with condition contains to select only specific parameters and leave the rest of the command line arbitrary.
2.Conditions are combined with logical operators OR and AND to achieve the desired outcome.