[Meta] Linux Ransomware Analysis - Cl0p & BlackCat

Aegrah commented 1 year ago

Summary

Dynamic/Static analysis of most recent blackcat, cl0p, and royal ransomware samples to identify unique characteristics across the entirety of the MITRE ATT&CK matrix.

### Tasks
- [ ] collect and study public documentations (blogs, whitepapers etc.) - week 1
- [ ] collect samples - week 1
- [ ] test coverage and identify gaps - week 1/2
- [ ] tune or write new rules - week 2

Goals

Based on analysis of the research papers, do we detect these samples' initial access vectors?
Do we have detection rules in place to capture all of their persistence mechanisms in a fresh environment with prebuilt rules enabled?
Do we have detections in place to capture their defense evasion techniques? Do we even capture their defense evasion techniques?
Do we have endpoint rules and/or detection rules in place to capture their encryption / ransomware activities?
Do we find any new detection opportunities for discovery, collection, command and control and/or exfiltration activity?

Resources:

https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/

botelastic[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] commented 1 year ago

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

elastic / detection-rules