forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathransomware_cloud.yml
27 lines (27 loc) · 1.14 KB
/
ransomware_cloud.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
name: Ransomware Cloud
id: f52f6c43-05f8-4b19-a9d3-5b8c56da91c2
version: 1
date: '2020-10-27'
author: Rod Soto, David Dorsey, Splunk
description: Leverage searches that allow you to detect and investigate unusual activities
that might relate to ransomware. These searches include cloud related objects that
may be targeted by malicious actors via cloud providers own encryption features.
narrative: Ransomware is an ever-present risk to the enterprise, wherein an infected
host encrypts business-critical data, holding it hostage until the victim pays the
attacker a ransom. There are many types and varieties of ransomware that can affect
an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials
from targeted users or resources.
references:
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
- https://github.com/d1vious/git-wild-hunt
- https://www.youtube.com/watch?v=PgzNib37g0M
tags:
analytic_story: Ransomware Cloud
category:
- Malware
product:
- Splunk Security Analytics for AWS
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection