blue tangle

  Following on from reading an unSafe.sh post about recent Lockbit ransomware gang activity, aka the new "Lockbit Black", I decided to look into a file that was posted along with the analysis, "123.bat".   You can view or grab a gist of the batch file below: We're going to run this batch file on a test VM and have a look at the resulting logs for some detection ideas, I'll be giving examples in Splunk SPL but I am certain with a little SIEM magic you can adapt the content to elastic, Sentinel or Defender Advanced Hunting queries instead. Lets get to it. The first questions we have to ask though, are around log availability and log visibility.  Are you ingesting Windows EventID 4688 and command line parameters along with that? How about logs from Powershell? If you are still running an older version of Powershell in your estate and finding motivation to update to 5+ is tough then here's your driver, better security and better logs that you can bung i

  If you want inspiration for a slidedeck on the history of ransomware look no further. Where I wanted to nail down specific dates I looked for when ransomware strains or incidents made the mainstream news and used that as my base timeline. The slides cover the first incident of data held for ransom that I could find (in 1981) through to Karakurt as what I see as the future of ransomware, touching on targeted ransomware attacks and the advent of Big Game Hunting in between. The talk is made to be delivered in about 25 - 30 minutes, though I was cutting it rather close with that timing. Feel free to use and alter this PowerPoint as you wish.