Highlighted
abezverkhyi Honored Contributor.
Honored Contributor.
9719 views

ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

Quick note: shutdown SMB v1 everywhere you use it, patch up MS17-010 vulnerability if you have not, blacklist all C2 and Tor addresses on perimeter. IOCs below. Treat Tor and Ransomware monitoring as high priority the outbreak is far from over. And test backups.

Hello dear community! Thanks to OSINT and fellow security researchers we've now digged up host IOCs and 41 IPs being part of WannaCry / WannaCrypt0r attack. Free use case is provided in this thread.

The goal of WannaCry Ransomware Worm Detector is to detect and stop the spread of WannaCry ransomware worm also known as WanaCryptor, WCry and WanaCrypt0r 2.0. WannaCry is an advanced ransomware worm using exploits in SMB published by Shadow Brokers to encrypt files of the Microsoft Windows operating system. It was used to commit cyber-attacks on multiple organizations in 100+ countries worldwide on May 12th 2017. WannaCry Ransomware Worm Detector seamlessly integrates with SIEM systems, takes only few minutes to deploy and provides high detection accuracy for WannaCry worm based on OSINT IOCs verified with Detect Tor.  Any feedback is welcome at dev@socprime.com

Just in case you missed the whole media explosion about WannaCry ransomware worm outbreak that hit the world on Friday 12th 2017, these 2 high-level articles stand out to me as most comprehensive and quick to grasp out of 40-ish I’ve read this far:

https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#6f044b40e599

https://blog.qualys.com/securitylabs/2017/05/12/how-to-rapidly-identify-assets-at-risk-to-wannacry-ransomware-and-eternalblue-exploit

Technical attack analysis with IOCs here: WannaCry no more: ransomware worm IOC's, Tor C2 and technical analysis + SIEM rules - SOC Prime

Reverse engineering of the malware sample by Faisal Abdul Malik Qureshi is here: Deriving Cyber Threat Intelligence: Wanna Cry Ransomware Quick Analysis

Use case:

Use case leverages active list with pre-loaded IOCs and is meant to last until IOCs expire. Please tune accordingly and disable Use Case once IOCs become inactive. For continuous blocking and detection of Ransomware it is recommended to block and monitor Tor connections, for example by using DetectTor use case. Case contains following IOCs:

  1. MD5s of malicious processes on host
  2. Names of malicious processes on host
  3. Command-line parameters of WannaCry worm, including ones called out by cmd.exe
  4. File paths identified
  5. IP addresses and ports reported in OSINT as command centers

Install docs:

CSV with IP's

Screenshots, this works on Express 4.0, 6.8 to 6.11 ESM.

iocs.png

Dashboard2.png Dashboard3.png

Use case is free forever, updated regularly at https://ucl.socprime.com/use-case-library/info/403/

Also considering the events we decided to make advanced version of Ransomware Hunter and DetectTor free too. They both can detect WannaCry even without new IOCs since there are behavior based rules that stayed the same and ransomware has to use Tor. Links:

https://ucl.socprime.com/use-case-library/info/183/

Tor.png

https://ucl.socprime.com/use-case-library/info/42/

Hunter.png

/Stay safe. Test backups. Block Tor. Don't forget to sleep

Operations guide on Use Case

How to install and configure package please see chapter “Installing and Configuring” in documentation file (pdf file, link above).

What's inside and how it works?

Use Case contains rules:

1) Connection to TORPROJECT.ORG. Detects connections to torproject.com site and all subdomains. This domain is used by WannaCry worm to download Tor browser. Tor browser will be used to connect to C&C and Payment servers.

Triggering of this rule indicate that someone or something (script or worm) is trying to access the host in domain torproject.org. This should be checked by SOC whether user visited this site manually or not.

2) Connection to WannaCry Distribution IP. Detects connections to WannaCry distribution sites. These domains are used to distribute WannaCry worm. If you will see rule triggered Immediate action required from IT unit to check this source host for work host IOCs.

3) Connection to WannaCry IP or Host. Rule detects connections to WannaCry IP addresses and hosts. Connections to this IP or hostname indicate with high probability that host is infected by WannaCry. Immediate action required from IT unit to check this host for work host IOCs.

4) Connections to External Multiple Hosts (by WannaCry). This rule triggers when one host from internal network communicates with 14 different external hosts (to internet) in one minute. This is one of the indicator of WannaCry worm behavior. But this rule also will trigger on all your other network services (like proxy etc), that are actively communicating to internet. You need to add exceptions to conditions all your systems that generates false positive. For this add exceptions to filter "Exceptions". By default this rule is disabled to avoid correlation overhead. You can also add condition in filter to match 14 hosts from different countries by GEO IP.

5) Network Scan on 445 137-139 Port (by WannaCry). Rule detects internal network scans on ports 445, 137, 138, 139. WannaCry ransomware is spreading across internal network via SMB vulnerability on 445 port. It scans network intensively. Netbios ports 137-139 also could be used to identify Windows hosts.

To avoid false positives please add your internal scanners IP to filter "Exceptions". If this rule triggers immediate action required from IT unit to check source host on ransomware.

6) WannaCry Activity on Windows Host. Rule detects any activity of files related to WannaCry on Windows hosts. Events with Vendor = Microsoft and where field File Name is not empty. Rule compares file names, path and hashes with Active Lists.

If you have other log source vendor than Microsoft please edit filter "Microsoft Windows File Related Events" and add new one.

Dashboard:

Dashboard "WannaCry Ransomware Worm Activity Overview" contains four panels:

1) SOC Channel - WannaCry Ransomware Worm Activity. Datamonitor shows 30 last correlated events that were generated by use case rules.

2) TOP 10 Potential Infected Hosts. Datamonitor shows top 10 potential infected hosts grouped by Source Address. Is based on correlated events from use case.

3) WannaCry Activity (Last 24h). Datamonitor displays statistical chart for all correlated events for last 24 hours.

4) All Potential Infected Hosts by Event Count. Query viewer shows all hosts from list "Potential Infected Hosts All Activity" grouped by Source Address. This list is populated by every rule in the use case.

Indicators of compromised host by WannaCry ransomware worm are in Active Lists:

1) WannaCry Distribution IP Addresses. Contains IP addresses that were noticed distributing WannaCry.

2) WannaCry File Path. Contains file paths where malicious files were executed.

3) WannaCry Files. Contains list of executable WannaCry malicious file names.

4) WannaCry Hashes. Contains list of executable WannaCry malicious file MD5, SHA1 and SHA256 hashes.

5) WannaCry Hostnames. Contains hostnames of C&C sites.

6) WannaCry IP Address-Port. Contains List of IP addresses and ports with which WannaCry is communicating.

7) WannaCry IP Addresses. Contains List of IP addresses with which WannaCry is communicating.

Labels (2)
24 Replies
kunal.r Respected Contributor.
Respected Contributor.

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

I am getting an error in the following Rules :-

1) External Communication with Multiple Hosts (by WannaCry)

2) Network Scan on 445 Port (by WannaCry)

The error is "refers to to field DummyZeroIP that cannot be found"

Kindly find the snaps of the errors and help us implement the saCapture.JPGUntitled.jpgme.

0 Likes
subindbabu Honored Contributor.
Honored Contributor.

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

Hi Kunal,

I think , This error is happening because : one local variable "DummyZeroIP" is not available , Which uses the function of "Convert string to IP address" - This function is available only in new versions, Since for me the package is showing the same error for Arcsight Express 4.0

I am checking any other possible ways , If got , will update.

AND ALSO , A VERY BIG THANKS TO SOC PRIME : PLEASE LET US KNOW THE LATEST IOC's LIST

--SUBIN--

--SUBIN--
0 Likes
Aleks Super Contributor.
Super Contributor.

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

Hello ​,

Yes this error is related missing variable function "Convert string to IP Address". We are now updating package to avoid this variable.

New package will contains latest IOCs list. Will be available in one hour.

Aleks

0 Likes
subindbabu Honored Contributor.
Honored Contributor.

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

Thanks Aleks, We are waiting for the updated one

--SUBIN--
0 Likes
kunal.r Respected Contributor.
Respected Contributor.

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

Hi Aleks,

Thanks for the update, i have done some changes and its working now. Although i will be waiting for the latest updated package.

Thanks and Regards,

Kunal.

0 Likes
StevenvandeBraak Outstanding Contributor.
Outstanding Contributor.

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

Andrey, thanks for this work!

In my opinion the first rule External communication with multiple hosts should not populate the potential infected list. This rule just looks for 14 hits within a minute with different hosts. This is apparently the first step.

The second rule looks for the first rule + port 445 + hits on IOC's 30 times in a minute. That looks fine.

By disabling the action of the first rule that populates the list, the content should work fine.

/steven

0 Likes
Aleks Super Contributor.
Super Contributor.

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

0 Likes
Aleks Super Contributor.
Super Contributor.

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

Thanks Steven, we have disabled rule "External communication with multiple hosts" by default cause it makes too much noise. It can be used as additional indicator of infection, but need to exclude all services for which it is normal to connect to more then 14 unique external hosts in one minute.

0 Likes
subindbabu Honored Contributor.
Honored Contributor.

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

Thanks aleks, Enabled the new one.

Please let us know , When ever new IOC's list you are feeding.

--SUBIN--

--SUBIN--
0 Likes
Aleks Super Contributor.
Super Contributor.

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

Sure!

0 Likes
Frequent Contributor.. yash.rajora1 Frequent Contributor..
Frequent Contributor..

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

The dashboard populating 'Top 10 Infected Hosts' is showing all the traffic going from Internal Network to Public IPs.

And the filter 'network external communication events' contains not in private IP subnets.

It is by design or some modifications required?

0 Likes
subindbabu Honored Contributor.
Honored Contributor.

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

Hi Yash,

I have added that filter in my specific rule . Now it is fine.

--SUBIN--

--SUBIN--
0 Likes
Frequent Contributor.. yash.rajora1 Frequent Contributor..
Frequent Contributor..

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

Hi Subin,

Mine is still showing false positives. Can you show me the filter and rule?

Yash.

0 Likes
Aleks Super Contributor.
Super Contributor.

Re: ArcSight vs WannaCry / WannaCrypt ransomware worm ESM use case & IOCs

Hi Yash, have you updated package to the latest version (1.3 at the moment)?

Probably rule "Connections to External Multiple Hosts (by WannaCry)" generates a lot correlated events. This rule triggers when one host from internal network communicates with 14 different external hosts (to internet) in one minute. This is one of the indicator of WannaCry worm behavior. But this rule also will trigger on all your other network services (like proxy etc), that are actively communicating to internet. You can disable rule or add exceptions to conditions all your systems that generates false positive.

Aleks

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.