This micro emulation plan targets the DS0022 File: File Access and DS0022 File: File Modification data sources. It covers file interactions like reading a file and modifying a file’s contents, permissions, or attributes. Ransomware attacks typically show a combination of file access and modification conducted at a rapid pace. This behavior is not unique to ransomware as it is very common for adversaries to conduct file access or modification behaviors during various stages of an attack, but the cadence between the two will be much slower than with ransomware.
You can access the binary for this micro plan as part of the latest release.
Table Of Contents:
What are we doing? This module provides easy to execute code that will
access and modify files in a directory supplied by the user or current directory
if none is specified. The executable will append a new line to *.txt files and
add a .bk extension to non-text files. It logs all of its filesystem activity
for auditing and cleanup purposes.
Why should you care? File access and modification behavior can be found during ransomware attacks (T1486 Data Encrypted for Impact) where the malware will open files before encrypting them. This behavior of accessing a file and then modifying it will be conducted in rapid succession giving little time for defenders to recognize an attack and stop it. Some malware encrypting just the first portion of the file to increase the speed at which it operates.
Adversaries may access or modify files for many different reasons including but not limited to T1087 Account Discovery to enable system enumeration, T1005 Data from Local System to conduct system and network enumeration or find data for exfiltration, T1555 Credentials from Password Stores to facilitate lateral movement or privilege escalation, and T1074 Data Staged as a precursor to exfiltration.
The FileAccess.exe executable executes by opening *.txt files and appending
a new line to each one. For non-text files it will add .bk to the filename. If
no directory is specified it will access and modify files in the directory it is
executed from (except itself, of course).
The executable has 4 options to alter its functionality:
recur:Conduct a recursive search on all directories that are found in the given path.dirPath:The directory path to search for files to modify.logFile:Allows the user to modify the name of the log file provided by the program.accessDelay:Allows the user to specify an amount of time to wait between file access events.
Alternatively, the -menu argument displays an interactive menu to configure
the options.
Windows generates event ID 4663 when a file is accessed. With the nature of Ransomware being to encrypt as many files as quickly as possible, a high volume of these alerts is a tell-tale sign of ransomware activity. Non-ransomware file access behavior may be more difficult to detect due the slower cadence.
Windows EID as well as Sysmon can be used to detect file modification behaviors with Windows event ID 4670 being used to detect when permissions to a file have been changed and Sysmon event ID 2 when a file’s creation time has changed. Sysmon EID 11 monitors for when files are created. Many variants of ransomware delete the original file and replace it with an encrypted copy posing a possible detection opportunity.
Accessing files and modifying them is extremely common behavior in all systems. This coupled with the short time to respond makes mitigation very difficult and revolves round preventing the ransomware from being deployed on the system in the first place. Conducting regular backups and having “golden images” for critical systems can limit the damage of a ransomware attack. Being able to capture and log process memory is also important as the encryption key is often stored in memory before being transferred to the adversary’s C2 server.