I turned on file system auditing on our Windows shares quite a long time
ago, it's just handy to have running for those times when you want to find
out specifics when users get paranoid.
This isn't an original thought but it seems like we have almost all the
ingredients to come up with a detection rule for cryptolocker outbreaks.
When you zip a file on the network, it creates a 4663 AUDIT_SUCCESS rule
along with Accesses %%4417 in the "Access Request Information".
Has anyone looked into creating a trip wire for an OSSEC rule in such a use
case? Does Cryptolocker (or variants) go wild on the network drives
encrypting all the files (read file, write encrypted version, delete
encrypted version) or do they throttle?
Just in a base test... it doesn't look like OSSEC pulls enough information
from the audit log to be precision accurate. We should pull out the *user
name* and fire an alert on X number of these in a 15 minute period along
with the *Accesses:* code.
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4663'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'server'
**Phase 3: Completed filtering (rules).
Rule id: '18104'
Level: '0'
Description: 'Windows audit success event.'
*List of access codes from Microsoft*
https://social.technet.microsoft.com/Forums/windows/en-US/0ec39516-5dcc-4453-9761-c1f94439a1cc/windows-7-security-audit-logs-how-do-i-translate-4421-1537-and-other-xxxx-data-fields?forum=w7itprosecurity
I suppose to make it a valid alert, it'd be good to run cryptolocker in a
test lab and check that the audit logs do trigger the desired alerts.
Has anyone done this yet? If not, would you be interested in something
like this?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
