Adam Shostack  May 26, 2024

Microsoft could fix ransomware by rate limiting createfile(), the api that’s used to open files. Opening files is a crucial step to encrypting or exfiltrating the data, and very few apps need to open a lot of files at once.

I’ve heard that Microsofts reason for not fixing it is … because user experience shouldn’t change because of windows update… https://wandering.shop/@xgranade/112498285644883431

Xandra Granade 🏳️‍⚧️ (@[email protected])

I remember when Windows 10 mail was local only, before a Windows Update made it cloud-only. I remember Edge didn't have built-in ads, before an update put ads everywhere. I remember when the My Documents folder was local-only by default, until a new version of OneDrive pushed it all to the cloud by default. History suggests that this kind of product is too often a wedge to justify more abuse of personal information in the future.

The Wandering Shop
Show threadWowSuchCyberMay 27, 2024

@adamshostack @xgranade we had good recovery so not too bad but then I met all the vendors I could find and asked them: this is a very specific behavior, one laptop opening thousands of file per seconds over the network on the file server, you should be able to detect and block that, what do you have?

None had a solution. Even Cisco despite them having acquired Snort.

Show threadafxMay 27, 2024
@WowSuchCyber @adamshostack @xgranade Shouldn't that be a trivial rule in Splunk or any other decent log analysis tool? Either by monitoring the file server or the client.
Show threadAdam Shostack  May 27, 2024
@afx @WowSuchCyber @xgranade What’s “trivial”? (1/3)
Show threadAdam Shostack  May 27, 2024

@afx @WowSuchCyber @xgranade If it’s so obvious why does every Splunk user need to reinvent it? (2/3)

[edit I should have said snort not splunk]

Show threadAdam Shostack  May 27, 2024
@afx @WowSuchCyber @xgranade Lastly, can you give me your GitHub of trivial rules that everyone should be using? 😀 More seriously it’s easy to declare things obvious in hindsight (3/3)
Show threadAdam Shostack  May 27, 2024

@afx @WowSuchCyber @xgranade Lastly Splunk is a network IDS not a log analysis tool. I don’t think it does volume very well. If it did, a Cisco sales Eng should have whipped it up on the spot. (4/3, doubling down on “what’s trivial 😀🤷)

[edit: I meant to say snort]

Show threadafxMay 27, 2024
@adamshostack @WowSuchCyber @xgranade Are mixing up Splunk with Snort?
Show threadAdam Shostack  May 27, 2024
@afx @WowSuchCyber @xgranade I totally am. I blame a lack of coffee and Covid. Probably in that order
Show threadAdam Shostack  May 27, 2024
@afx @WowSuchCyber @xgranade I think it should be an easy rule in the Splunk log analysis tool, which is not the snort ids that Cisco owns. But also I don’t know Splunk rules and so have no idea how to express “lots” in them.
Show threadafxMay 27, 2024
@adamshostack @WowSuchCyber @xgranade Can't whip it up right now, I am on vacation, no Splunk to play with. But in general it is not hard to set up a rule that says if event X occurs more than Y times in a given time window on host Z, raise an alert. Of course, that requires to get the right events into it first.
Show threadAdam Shostack  
@afx @WowSuchCyber @xgranade yes, just to play devils advocate "you want to log every file open and pay us for it? ok!"
May 27, 2024 at 4:05pmWeb
Show threadafxMay 27, 2024
@adamshostack @WowSuchCyber @xgranade Yup, that is the pain with Splunk. I am still hoping for an equally capable tool with a more civilised price structure. (The mother ship could theoretically easily buy an unlimited corporate license, but there are politics in the way)
Show threadTindraMay 27, 2024

@adamshostack @afx @WowSuchCyber @xgranade ding!

In order to make such a rule cost effective, you need correlation to happen on the endpoint. Which requires a specialized endpoint security solution.

OR

You take the idea of I forget the name of the security product, and drop some honey files and only take action when those are touched. Much lower volume to ship up to your centralized logging solution but also means actually understanding logging well enough to know how to set up and send up those logs.

Show threadAdam Shostack  May 27, 2024
@TindrasGrove @afx @WowSuchCyber @xgranade Thinkst? (cc @haroonmeer hey could you do this to alert on ransomware?)
Show threadTindraMay 27, 2024
@adamshostack @afx @WowSuchCyber @xgranade @haroonmeer it wasn’t Thinkst, but I expect you could use them to set up such a rule.
Show threadafxMay 27, 2024
@adamshostack @TindrasGrove @WowSuchCyber @xgranade @haroonmeer The problem with canaries ist, they need to sit in the path that the adversary touches. But that should be easy in big file shares, much more of a pain if you have many dedicated shares.
Show threadTindraMay 27, 2024

@afx @adamshostack @WowSuchCyber @xgranade @haroonmeer you are correct - the better you scatter canaries around, the faster detection will be.

Bonus points for seeing if the common ransomwares have logic about how they crawl a directory so you can make sure they’re in some of the earlier-touched locations, instead of just “well, the ransomware will get here *eventually* locations.

Show threadafxMay 27, 2024
@TindrasGrove @adamshostack @WowSuchCyber @xgranade And this ist where I think any modern EDR/XDR should do this in the endpoint.
Show threadWowSuchCyberMay 27, 2024
@TindrasGrove @adamshostack @afx @xgranade that's what we did. Enable advanced file monitoring services (I think that's what it was called at the time) and monitor specific files we put in two shares one named aaaa the other zzzz for the sole purpose of detecting scanning, with a trigger that locked the user of the file handle.