IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Suspicious File Changes Activity Detected
editSuspicious File Changes Activity Detected
editRansomware is a type of malware that encrypts a victim’s files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. This rule identifies a sequence of 50 file extension rename events by the same process in a timespan of 1 second.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Impact
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by host.id, process.entity_id, file.extension with maxspan=1s [ file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension != "" ] with runs=50 | tail 1
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
-
Technique:
- Name: Data Encrypted for Impact
- ID: T1486
- Reference URL: https://attack.mitre.org/techniques/T1486/