MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules

Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham

MedusaLocker: Network Shares Scan

MedusaLocker Image

The malware possesses a networking module that enables it to establish connections to remote systems within the local network and scan for SMB shares. The initial step involves sending an ICMP “Ping” to each system in a sequential order and verifying if a response is received. After that, the malware will proceed to examine the system for any open SMB shares, excluding shares with a “$” in their name, which indicates hidden shares. The malware will then accumulate the remaining shares in a list, which will be encrypted at a later stage.

Detection Indicators

The detection indicators for network share scan used by MedusaLocker ransomware are as follows:

EventID: 5140 (A network share object was accessed)
EventID: 5145 (A network share object was checked to see whether client can be granted desired access)
Correlating these IDs with the account and system that tried to access it and any processes within that time frame that have been started

Log Sources

I have configured multiple log sources in my detection lab. I am using Azure Sentinel as my SIEM solution. The following logs are injested into SIEM:

Microsoft Defender XDR logs
Windows Security Audit logs
Sysmon Logs with sysmon-moduler configuration

Detection Engineering with Security Audit Logs

The following query filters the events of accessing network shares and co-relate it with process created in the system within 30seconds time frame of same subject account that has tried to accessed the share. All the processes that have been created within 30 seconds of accessing network share will be listed and further filtered out excluding the windows folders. The shares containing ‘$’ are excluded because medusalocker also exclude hidden shares in its discovery. Could also have low false positives, in terms of filtered processes because the only co-relation here is the timespan and any process created within the timespan of 30 seconds will be displayed.

let network_shares_access = SecurityEvent
| where EventID == 5140
| project bin(Timebin = TimeGenerated, 30s), Computer, Account, IpAddress, IpPort, ShareName, SubjectAccount;
let process_created = SecurityEvent
| where EventID == 4688
| project bin(Timebin = TimeGenerated, 30s), Computer, NewProcessName, ParentProcessName, SubjectAccount;
network_shares_access
| join kind=inner (process_created) on SubjectAccount
| where not(NewProcessName has_any('windows', 'system32', 'program files'))
| project Timebin, Computer, ShareName, IpAddress, IpPort, SubjectAccount, ProcessCreationSubjectAccount = SubjectAccount1, NewProcessName, ParentProcessName
| where ShareName !contains "$" //Remove hidden shares from the list like MedusaLocker

Detection Engineering with SIGMA Rule

The following SIGMA rule detects access to network shares based on the artifacts of MedusaLocker ransomware. The artifacts in this case are ransom notes or file extensions. To improve the rule, add more detection artifacts.

title: MedusaLocker Network Share Discovery and access
id: 1b28d761-63fc-4e1f-bc63-ba7883cb5ebc
status: experimental
description: Detects access to network shares based on the artifacts of MedusaLocker ransomware
references:
    - https://www.sentinelone.com/blog/how-medusalocker-ransomware-aggressively-targets-remote-hosts/
    - https://socradar.io/dark-web-profile-medusa-ransomware-medusalocker/
author: Shayan Ahmed Khan (shaddy43)
date: 2024/08/11
tags:
    - attack.discovery
    - attack.t1135
logsource:
    product: windows
    service: security
detection:
    selection_access_eventid:
        EventID:
            - 4663
            - 4656
    selection_access_data:
        - ObjectName|endswith: '.lock'
        - ObjectName|contains: 'how_to_back_files.html'
        - ObjectName|contains: 'how_to_recover_data.html'
        - ObjectName|contains: 'how_to_recover_data.html.marlock01'
    selection_share_eventid:
        EventID: 
            - 5145
            - 5140
    selection_share_data:
        - RelativeTargetName|endswith: '.lock'
        - RelativeTargetName|contains: 'how_to_back_files.html'
        - RelativeTargetName|contains: 'how_to_recover_data.html'
        - RelativeTargetName|contains: 'how_to_recover_data.html.marlock01'
    selection_filter:
        - ProcessName|contains: 'explorer'
    condition: (all of selection_access_* or all of selection_share_*) and not selection_filter
falsepositives:
    - Unknown
level: high