Rorschach Ransomware Execution Activity

About the rule

Rule Type

Standard

Rule Description

Rorschach is a ransomware strain capable of autonomous attack propagation when deployed on a domain controller. It is reportedly one of the fastest malware strains in terms of data encryption speed. It gains initial access via phishing, moves laterally, and establishes persistence within the network, all while evading detection using advanced obfuscation techniques. This rule detects the execution of malware files associated with Rorschach ransomware.

Severity

Critical

Rule journey

Attack chain scenario

Initial Access → Execution → PowerShell script execution → Lateral Movement → Defense Evasion → Impact → Encryption

Impact

• System compromise
• Malware execution
• Data exfiltration
• Data encryption

Rule Requirement

Prerequisites

• Windows Event Viewer

Logon to Group Policy Management Console with administrative privileges and enable auditing for process creation and termination events. For enhanced process tracking enable the inclusion of command line information in process creation events. Finally, create a new registry key "Microsoft-Windows-Security-Auditing/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

• Sysmon

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add process creation events to the configuration file to capture all process creations. Finally, create a registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

(((( COMMANDLINE CONTAINS ""11111111"" ) ) AND (( PROCESSNAME ENDS_WITH ""\\bcdedit.exe"" ) OR ( PROCESSNAME ENDS_WITH ""\\net.exe"" ) OR ( PROCESSNAME ENDS_WITH ""\\net1.exe"" ) OR ( PROCESSNAME ENDS_WITH ""\\netsh.exe"" ) OR ( PROCESSNAME ENDS_WITH ""\\wevtutil.exe"" ) OR ( PROCESSNAME ENDS_WITH ""\\vssadmin.exe"" ) )))

This rule is triggered when the executed process is associated with the following suspicious elements:

• 11111111: A string which is a part of a command line parameter or argument associated with Rorschach ransomware.
• bcdedit.exe: The Boot Configuration Data Editor file which is used by attackers to modify boot options in order to enable persistence.
• net.exe / net1.exe: A network process associated with account or service manipulation.
• netsh.exe: The Network Shell Utility process used to configure network settings and firewall rules.
• wevtutil.exe: The Windows Event Log Utility process used to clear or tamper event logs.
• vssadmin.exe: Refers to the Volume Shadow Copy Service admin file used by ransomware to delete shadow copies before encryption.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Execution: Command and Scripting Interpreter - Windows Command Shell (T1059.003); Execution: Command and Scripting Interpreter - PowerShell (T1059.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

When this rule is triggered, you're notified of a script execution involving Rorschach ransomware. This enables you to detect malicious PowerShell executions and identify potential ransomware activity in the network.

Author

X__Junior (Nextron Systems)

Future actions

Known False Positives

This rule might be triggered when legitimate scripts involving files and processes similar to those associated with Rorschach ransomware are executed.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit network activity: Continuously monitor network events, audit PowerShell activity, and block script executions involving ransomware signature elements.

Mitigation