Use Windows event logs for ransomware investigations, JPCERT/CC advises - Help Net Security

The JPCERT Coordination Center – the first Computer Security Incident Response Team established in Japan – has compiled a list of entries in Windows event logs that could help enterprise defenders respond to human-operated ransomware attacks and potentially limit the malware’s damage. When dealing with a ransomware attack, identifying the ransomware used as soon as possible is of critical importance, as knowledge of the tactics, techniques and behavioral patterns used by the attackers can help with the investigation of and response to the intrusion, and possibly help responders prevent the ransomware from being deployed on a greater number of systems (e.g., the ransomware may have failed to execute or is inactive until triggered by attackers). Detecting specific entries in Windows event logs – Application, Security, System, Setup – may reveal the identity of the attackers and the ransomware used (when it’s not obvious). “JPCERT/CC’s investigation confirmed that some ransomware leaves traces in the Windows event log, and that it is sometimes possible to identify the ransomware based on these characteristics,” malware analyst Kyosuke Nakamura noted. Conti ransomware and related ransomware such as Akira or Lockbit3.0, for example, often trigger a large number of logs (event IDs: 10000, 10001) in a short period of time, because they indicate the automatic closing of running applications when Windows OS is restarted or shut down. Phobos ransomware and related ransomware such as 8base, on the other hand, trigger event IDs 612, 524 and 753, which are related to canceling scheduled backups, deleting the system catalog, and starting the backup system. “The difficult part of the initial response to a human-operated ransomware attack is identifying the attack vector,” the organization pointed out. “Event logs can only support damage investigations and attribution, but in situations where a lot of information is deleted or encrypted, investigating everything that could be useful may provide some good insights,” Nakamura concluded. The compiled document also details logs associated with Midas, BadRabbit, Bisamware, shade, GandCrab, AKO, avoslocker, BlackBasta, and Vice Society ransomware.

This Cyber News was published on www.helpnetsecurity.com. Publication date: Tue, 01 Oct 2024 11:13:07 +0000


Cyber News related to Use Windows event logs for ransomware investigations, JPCERT/CC advises - Help Net Security

Use Windows event logs for ransomware investigations, JPCERT/CC advises - Help Net Security - The JPCERT Coordination Center – the first Computer Security Incident Response Team established in Japan – has compiled a list of entries in Windows event logs that could help enterprise defenders respond to human-operated ransomware ...
2 months ago Helpnetsecurity.com
JPCERT shares Windows Event Log tips to detect ransomware attacks - Japan's Computer Emergency Response Center (JPCERT/CC) has shared tips on detecting different ransomware gang's attacks based on entries in Windows Event Logs, providing timely detection of ongoing attacks before they spread too far into a network. ...
2 months ago Bleepingcomputer.com
CVE-2024-26633 - In the Linux kernel, the following vulnerability has been resolved: ...
9 months ago
CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago
CVE-2024-26857 - In the Linux kernel, the following vulnerability has been resolved: ...
8 months ago
CVE-2024-35893 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago
CVE-2024-47685 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th->res1) Use ...
2 months ago Tenable.com
CVE-2024-50083 - In the Linux kernel, the following vulnerability has been resolved: tcp: fix mptcp DSS corruption due to large pmtu xmit Syzkaller was able to trigger a DSS corruption: TCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending ...
1 month ago Tenable.com
CVE-2024-26781 - In the Linux kernel, the following vulnerability has been resolved: mptcp: fix possible deadlock in subflow diag Syzbot and Eric reported a lockdep splat in the subflow diag: WARNING: possible circular locking dependency detected ...
8 months ago Tenable.com
CVE-2023-52784 - In the Linux kernel, the following vulnerability has been resolved: bonding: stop the device in bond_setup_by_slave() Commit 9eed321cde22 ("net: lapbether: only support ethernet devices") has been able to keep syzbot away from net/lapb, until today. ...
7 months ago Tenable.com
Is that It? Finding the Unknown: Correlations Between Honeypot Logs & PCAPs - Simply parsing through the logs may not always give you a complete picture either. This blog post will walk through the steps I have taken to build a bigger picture to make an attack observation, briefly going over various attacks such as malicious ...
6 months ago Isc.sans.edu
CVE-2022-48956 - In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid use-after-free in ip6_fragment() Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers. It seems to not be always true, at least for UDP stack. syzbot ...
2 months ago Tenable.com
CVE-2024-50035 - In the Linux kernel, the following vulnerability has been resolved: ppp: fix ppp_async_encode() illegal access syzbot reported an issue in ppp_async_encode() [1] In this case, pppoe_sendmsg() is called with a zero size. Then ppp_async_encode() is ...
2 months ago Tenable.com
CVE-2024-50033 - In the Linux kernel, the following vulnerability has been resolved: slip: make slhc_remember() more robust against malicious packets syzbot found that slhc_remember() was missing checks against malicious packets [1]. slhc_remember() only checked the ...
2 months ago Tenable.com
CVE-2024-26852 - In the Linux kernel, the following vulnerability has been resolved: net/ipv6: avoid possible UAF in ip6_route_mpath_notify() syzbot found another use-after-free in ip6_route_mpath_notify() [1] Commit f7225172f25a ("net/ipv6: prevent use after free in ...
8 months ago Tenable.com
Week in review: PoC for Splunk Enterprise RCE flaw released, scope of Okta breach widens - Vulnerability disclosure: Legal risks and ethical considerations for researchersIn this Help Net Security interview, Eddie Zhang, Principal Consultant at Project Black, explores the complex and often controversial world of vulnerability disclosure in ...
1 year ago Helpnetsecurity.com
CVE-2024-26863 - In the Linux kernel, the following vulnerability has been resolved: ...
8 months ago
CVE-2024-26641 - In the Linux kernel, the following vulnerability has been resolved: ...
9 months ago
CVE-2024-26882 - In the Linux kernel, the following vulnerability has been resolved: ...
7 months ago
CVE-2024-35973 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago
CVE-2024-35934 - In the Linux kernel, the following vulnerability has been resolved: ...
7 months ago
CVE-2023-52845 - In the Linux kernel, the following vulnerability has been resolved: tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING syzbot reported the following uninit-value access issue [1]: ===================================================== ...
7 months ago Tenable.com
JPCERT shares Windows Event Log tips to detect ransomware attacks - Japan's Computer Emergency Response Center (JPCERT/CC) has shared tips on detecting different ransomware gang's attacks based on entries in Windows Event Logs, providing timely detection of ongoing attacks before they spread too far into a network. ...
2 months ago Bleepingcomputer.com
CVE-2024-26624 - In the Linux kernel, the following vulnerability has been resolved: ...
9 months ago
CVE-2024-50085 - In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Syzkaller reported this splat: ================================================================== BUG: KASAN: ...
1 month ago Tenable.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)