Articles & Presentations

Thursday, September 24, 2015

Finding and Alerting on crypto events with your Cloud storage logs




This may be an actual compelling reason to use a business class Cloud Storage solution like those from DropBox, Box and others.

Normally to detect crypto events you have to enable the File Auditing policy in GPO or Local Security Policy and on set File Auditing for the Server Shares you want to monitor so the data is captured in your Security Event Log (Event ID 4663). This is an effective way to detect a Crypto event in process and also know what directories will need to be restored once the user is contained or disconnected.

Recently a user was hit with one of the many Crypto ransomware variants and needed to be cleaned up. Since a business class Cloud Storage was being used, the question was raised; can they roll back to last known good files since this occurred 2 weeks earlier? That got me thinking...

If you are one of the companies using Cloud Storage as an alternative to local file server storage, ease of sharing between partners, or using it for the encrypted storage, you may be in luck if you have a log management solution. You may be able to use their web portal to search for this condition, let me know I have not tried it.

If you upload or sync the cloud storage logs to your log management solution, say Splunk, Loggly or one of the many others, you could have what you need to answer the following questions:

1. When did the event happen
2. Who was the user(s) involved
3. What directories were involved (probably all)

The logs will have all this data and if you write a query to search for "HELP_DECRYPT" and say "stats count by username", you will have what you need to alert on a crypto event using your cloud storage logs!

Since users should not have any "HELP_DECRYPT" files, usually 2 per directory, the HTML file and Image file, monitoring for these is a great artifact to look for.

Just look for these files and say "where count > 5" as a trigger and send an email to the appropriate people.

Just another artifact that we can use to detect malwarious activities.

Also check out my new "Windows Splunk Logging Cheat Sheet" for some Windows Splunk logging goodness.

Happy Hunting!

#InfoSec #MalwareArchaeology