Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Missing Wildcards in Splunk Rule for Detecting Known Services Killed by Ransomware #2996

Open
shimonShouei opened this issue Apr 9, 2024 · 0 comments · May be fixed by #3233
Open
Assignees
Labels
bug Something isn't working

Comments

@shimonShouei
Copy link

Product: Splunk Security Content

Description:

The Splunk rule named "known_services_killed_by_ransomware" is intended to detect when certain critical services have entered the stopped state, potentially as a result of ransomware activity. However, there is an inconsistency in the use of wildcards within the Message IN list, which may lead to the rule not triggering on relevant log messages.

Steps to Reproduce:
Navigate to the Splunk search interface.
Enter the provided Splunk rule named "known_services_killed_by_ransomware".
Execute the rule against the wineventlog_system log data containing EventCode 7036.

Expected Result:

The rule should match any Message that contains the names of the specified services followed by the phrase "service entered the stopped state", regardless of any additional text or variations in case.

Actual Result:

Due to missing wildcards for some service names and the lack of a comma between "QBCFMonitorService" and "YooBackup", the rule may not match all relevant Message field values, resulting in potential false negatives.

Bug Impact:

The effectiveness of the rule in detecting service interruptions related to ransomware activities is compromised. Critical alerts may be missed, reducing the ability of the security team to respond to ransomware threats in a timely manner.

Suggested Fix:

Review and update the rule to ensure consistent use of wildcards with all service names in the Message IN list. Add missing wildcards where necessary to capture variations in the Message field values. Ensure that all service names are correctly separated by commas.

@shimonShouei shimonShouei added the bug Something isn't working label Apr 9, 2024
@nasbench nasbench self-assigned this Dec 9, 2024
nasbench added a commit that referenced this issue Dec 9, 2024
@nasbench nasbench linked a pull request Dec 9, 2024 that will close this issue
@nasbench nasbench linked a pull request Dec 9, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants