Catch the Next WannaCry or NotPetya Ransomware Attack Before Damage Occurs

AI Engine Rule Configured to Use the CAT : Metadata Field : Command list

Contributors to this blog include Nathaniel “Q” Quist and Sam Straka.

On April 14, 2017, Shadow Brokers released a set of previously classified exploit tools developed by the National Security Agency. Within this cache of exploits, perhaps the most notorious was an exploit called “EternalBlue.” EternalBlue was developed to take advantage of a vulnerability within the Windows operating system. Fortunately, Microsoft had advance knowledge of the leaked vulnerability, and it issued a security patch on March 14, 2017.

Sadly, this was not the end of the story. Due to poor system maintenance routines, inadequate patching schedules, or the failure to adhere to industry best practices, a large number of systems were left vulnerable to the EternalBlue exploit — despite the availability of a suitable patch. Given these oversights, the EternalBlue exploit has been at the center of many industry-changing cyberattacks.

Within the last year, ransomware attacks such as WannaCry and NotPetya used the EternalBlue exploit as the primary method to quickly traverse networks, infecting thousands of computer systems in under 48 hours. WannaCry, upon its release on May 12, 2017 — just one month after the Shadow Brokers dump and two months after the patch was made public —  compromised over 200,000 unique systems across 150 different countries in just over 24 hours.

NotPetya, released on July 27, 2017, four months after the patch became available, was also equipped with the EternalBlue exploit. It originally targeted banks, oil and gas companies, and airlines, but ultimately expanded to compromise over 10,000 organizations across 65 countries.

LogRhythm Labs typically tracks these types of attacks and publishes content designed to both increase awareness of and assist in the detection of these events using the LogRhythm NextGen SIEM Platform. Since fast-moving threats such as WannaCry and NotPetya continue to threaten organizations of all sizes, LogRhythm developed a tool that delivers this content to you even faster.

The LogRhythm Current Active Threat (CAT) Module Protects Your Environment from Emerging Cyberattacks

LogRhythm Labs created the Current Active Threat (CAT) Module to assist you in the detection of the latest widespread attacks facing your network. LogRhythm Labs’ Threat Research team carefully watches industry malware trends, then rapidly develops AI Engine rules designed to identify emerging attacks, and delivers those rules directly to your SOC in under 24 hours.

IOC-Based Attacks

The AI Engine rules created in support of the CAT Module are different than those in other LogRhythm Labs modules. Instead of using the tactics and techniques of an attack to build a rule, the CAT Module rules focus on specific Indicators of Compromise (IOC) of events, such as IP addresses, hash values, specific command-line prompts, and registry key. For example, WannaCry was a file-based malware variant that contained indicators that were easily observed by LogRhythm’s Next-Gen SIEM platform including:

  • Filenames (Object Field):
    • b.wnry
    • c.wnry
    • r.wnry
    • s.wnry
    • t.wnry
    • u.wnry
  • Process names:
    • taskdll.exe
    • tasksche.dll
    • taskse.exe
  • Registry Key modifications (to maintain persistence):
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      • HKLM\Software\WanaCrypt0r\wd
  • Command Line commands:
    • attrib +h .
    • cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /setbootstatuspolicy ignoreallfailures & bcdedit /setrecoveryenabled no & wbadmin delete catalog –quiet
    • icacls . /grant Everyone:F /T /C /Q

The CAT Module targets these types of indicators to help you automatically establish detection and response readiness in response to threats as they emerge. By quickly implementing targeted rules in LogRhythm, you can proactively search for threats like WannaCry in the critical early hours of a threat event.

Pre-Tuned AI Engine Rules

The CAT Module introduces a new way of designing AI Engine rules, in that it has the ability to deliver pre-tuned AI Engine rules. A pre-tuned AI Engine rule is a relatively new concept developed by the LogRhythm Labs team. Tuning an AI Engine rule is essential for the success of the rule and for the ultimate success of your LogRhythm deployment. However, up until this point, delivering a pre-tuned AI Engine rule straight out of the box was impossible due to uniqueness of each customer’s environment.

Because no two environments are the same, how could LogRhythm Labs develop and deliver AI Engine rules that would work for everyone? The CAT module makes use of “list” capabilities by creating a type of list called the CAT : Metadata Field list. The metadata list contains a list of log source types that populate that particular metadata field within the LogRhythm NextGen SIEM Platform. For example, if you want to build a rule to trigger upon the presence of the three CVEs indicating an internal system is vulnerable to the Spectre/Meltdown CPU’s speculative leakage exploits (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754, the fastest way to tune this rule would be to narrow the AI Engine rule to only those log sources that supply the LogRhythm platform with CVE log data. Thus, enter the ‘CAT : Metadata Field : CVE’ list.

In another instance, the WannaCry malware was hardcoded with a specific set of command line prompts that were dependent upon the malware version and would execute on a vulnerable system. A few of the commands that would execute on the victim system are:

  • attrib +h .
  • cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /setbootstatuspolicy ignoreallfailures & bcdedit /setrecoveryenabled no & wbadmin delete catalog –quiet
  • icacls . /grant Everyone:F /T /C /Q

Using LogRhythm’s real-time analytics built on Machine Data Intelligence (MDI) Fabric, the LogRhythm NextGen SIEM platform will parse these command values into the same metadata field across any LogRhythm deployment. To construct the desired AI Engine rule, aside from the specific commands themselves, the AI Engine rule will also be configured to use the CAT : Metadata Field : Command list, narrowing the AI Engine rule to only the log source types that could supply the rule.

AI Engine Rule Configured to Use the CAT : Metadata Field : Command list Figure 1: AI Engine Rule Configured to Use the CAT : Metadata Field : Command list

Content Delivery

Events that affect wide varieties of organizations are thankfully not an everyday occurrence. But when they do occur, timely, efficient, and accurate notification and alerting are a must. The CAT Module is designed to automatically enable rules as soon as they are added to your environment after a Knowledge Base (KB) sync. LogRhythm typically publishes three to five KBs per week. If an industry-shaping event occurred, you wouldn’t have to wait more than 24 hours to receive your first AI Engine rules addressing the event. This allows you to have confidence in your response to news-making security events, even if security resources are tight.

Another important aspect of the CAT Module is content retirement. Malicious actors and the malware they create are not likely to maintain their underlying infrastructure for long periods of time. This is due to mitigation actions by various cyber defense teams protecting and cleaning known infections, international police organizations removing large-scale Command and Control (C2) systems, and the malicious actors themselves abandoning the cyber infrastructure they build after its intended functionality deploys. As a result, AI Engine rules may not be relevant indefinitely and may be removed after a threat has passed.

The CAT Module is now available and is free to LogRhythm customers. For specific questions, comments, or to view updates on the latest cyber events, visit LogRhythm’s CAT Module page on the LogRhythm Community.

Special thanks to Sam Straka for contributing to this blog.