📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 01. Introduction
  • 02. Login to elastic
  • 03. Investigate Ransomware Alert
  • 04. Security questions
  • 05. Answers
  • 06. Limitations
  • 07. Analyzing trojan file

Was this helpful?

  1. Forensic Readiness
  2. Ransomware Detection

Signature based

PreviousRansomware DetectionNextLive Response

Last updated 2 years ago

Was this helpful?

01. Introduction

A malware signature is a footprint or pattern observable in a malicious attack. These patterns include file sizes, imported functions, file hashes, printable strings, byte offsets, and other indicators of compromise (IoCs). Signature-based detection operates by comparing the activity of the provided sample with the database of recognized patterns.

Here's the step-by-step process for signature-based ransomware detection:

  1. A new type of ransomware is discovered.

  2. The ransomware's footprint is added to a database.

  3. The antivirus product is updated to include the new database.

  4. The antivirus product is then able to detect the ransomware during scans by searching for its footprint.

There are several advantages of using signature-based detection to identify and respond to threats — it offers several benefits over basic file hash matching. One advantage is that it enables analysts to target entire malware families rather than just a single variant. This is because signatures often match commonalities among variants.

Another advantage is that signatures are extremely versatile and can be used to detect various types of file-based malware. Signatures can be written to include or exclude specific file types. This means that signature-based detection methods can be used to potentially scan and match a signature across almost any file type. Furthermore, simple signature formats such as YARA are useful to security professionals across the globe. YARA offers a standardized text-based format for signature-based detection rules to be written and tested, meaning that rules can be shared across the cybersecurity community in threat intelligence feeds.

02. Login to elastic

A few days ago, you received a ticket stating that some of the older testing hardware in Commensurate Technology (ComTech) have been infected with ransomware. You prepare yourself for the worst, but after looking into the hardware you discover that it is one of the older versions of WannaCry to be specific. Since the testing hardware is not used very often and no sensitive data was stored on them, you simply erase all and start with the fresh copy of Windows 10. Only this time, you decide to deploy the Elastic Security Endpoint Detection and Response (EDR) solution on all of the testing hardware.

03. Investigate Ransomware Alert

After deploying the EDR solution, you should now test that the malware prevention and alerts work. To do that, you will need a real ransomware sample. You decide to speak with a colleague who used one of the testing laptops before the ransomware attack.

The investigation shows that the ransomware was dropped by a Trojan, which was delivered via a malicious macro from a phishing email to one of the developers that used the hardware. Fortunately, you have been able to successfully extract samples of both the ransomware and the dropper from one of the infected machines.

Now it's time to put Elastic's signature-based detection capabilities to the test.

  • Extract the malware to the dektop

    • Password: infected

After a short wile the elastic agent did detect the malware and removed it:

Go trough the security details to answer the questions.

04. Security questions

  1. What is the severity score for this alert?

  2. What is the MD5 file hash value of the ransomware?

  3. What is the original file name of the ransomware?

  4. What is the file size (in bytes) of the ransomware?

05. Answers

The secerity score is 73

The MD5 hash is 84c82835a5d21bbcf75a61706d8ab549

The original filename is: diskpart.exe

File size is: 3514368 bytes

06. Limitations

The main limitation of signature-based detection is that it cannot identify zero-day attacks or new malware with unknown signatures. This is because security solutions will have no corresponding signature stored in the database. For this reason, signature-based ransomware detection will always be a reactive approach to cybersecurity, meaning that it's impossible to get ahead of the attackers when it comes to malware signature.

The second major limitation of signature-based detection is the emergence of fileless malware, that is, malware in which the code is run directly in memory rather than by executing a malicious file.

07. Analyzing trojan file

If you extract the contents of the Emotet.zip file on the desktop, you will notice that, unlike the WannaCry sample, Elastic is unable to detect a malicious signature from the Datei 1609(2).doc file. This is due to the fact that malware authors often change Emotet, making it difficult to detect by signature-based methods. However, if you upload the file to VirusTotal or search for the file using its hash, you can clearly see that it is in fact malicious

Virustotal results: