Merge pull request #3621 from splunk/interlock_ransomware

interlock_ransomware

Author: patel-bhavin

detections/endpoint/common_ransomware_extensions.yml

@@ -1,7 +1,7 @@
 name: Common Ransomware Extensions
 id: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec
-version: 14
-date: '2025-05-02'
+version: 15
+date: '2025-07-29'
 author: David Dorsey, Michael Haag, Splunk, Steven Dick
 status: production
 type: TTP
@@ -79,6 +79,8 @@ tags:
   - Ryuk Ransomware
   - Black Basta Ransomware
   - Termite Ransomware
+  - Interlock Ransomware
+  - NailaoLocker Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1485

detections/endpoint/common_ransomware_notes.yml

@@ -1,7 +1,7 @@
 name: Common Ransomware Notes
 id: ada0f478-84a8-4641-a3f1-d82362d6bd71
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-07-29'
 author: David Dorsey, Splunk
 status: production
 type: Hunting
@@ -42,6 +42,8 @@ tags:
   - Ryuk Ransomware
   - Black Basta Ransomware
   - Termite Ransomware
+  - Interlock Ransomware
+  - NailaoLocker Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1485

detections/endpoint/detect_remote_access_software_usage_file.yml

@@ -1,18 +1,18 @@
 name: Detect Remote Access Software Usage File
 id: 3bf5541a-6a45-4fdc-b01d-59b899fff961
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-07-28'
 author: Steven Dick
 status: production
 type: Anomaly
-description: The following analytic detects the writing of files from known remote
-  access software to disk within the environment. It leverages data from Endpoint
-  Detection and Response (EDR) agents, focusing on file path, file name, and user
-  information. This activity is significant as adversaries often use remote access
-  tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access.
-  If confirmed malicious, this could allow attackers to persist in the environment,
-  potentially leading to data exfiltration, further compromise, or complete control
-  over affected systems.
+description: The following analytic detects the writing of files from known 
+  remote access software to disk within the environment. It leverages data from 
+  Endpoint Detection and Response (EDR) agents, focusing on file path, file 
+  name, and user information. This activity is significant as adversaries often 
+  use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to 
+  maintain unauthorized access. If confirmed malicious, this could allow 
+  attackers to persist in the environment, potentially leading to data 
+  exfiltration, further compromise, or complete control over affected systems.
 data_source:
 - Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count, min(_time) as firstTime,
@@ -25,20 +25,22 @@ search: '| tstats `security_content_summariesonly` count, min(_time) as firstTim
   remote_access_software remote_utility AS file_name OUTPUT isutility, description
   as signature, comment_reference as desc, category | search isutility = TRUE | `remote_access_software_usage_exceptions`
   | `detect_remote_access_software_usage_file_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
-  and Response (EDR) agents. These agents are designed to provide security-related
-  telemetry from the endpoints where the agent is installed. To implement this search,
-  you must ingest logs that contain the file path, file name, and the user that created
-  the file. These logs must be processed using the appropriate Splunk Technology Add-ons
-  that are specific to the EDR product. The logs must also be mapped to the `Filesystem`
-  node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM)
-  to normalize the field names and speed up the data modeling process. The "exceptions"
-  macro leverages both an Assets and Identities lookup, as well as a KVStore collection
-  called "remote_software_exceptions" that lets you track and maintain device-based
-  exceptions for this set of detections.
-known_false_positives: Known or approved applications used by the organization or
-  usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv
-  lookup to globally suppress these situations across all remote access content
+how_to_implement: The detection is based on data that originates from Endpoint 
+  Detection and Response (EDR) agents. These agents are designed to provide 
+  security-related telemetry from the endpoints where the agent is installed. To
+  implement this search, you must ingest logs that contain the file path, file 
+  name, and the user that created the file. These logs must be processed using 
+  the appropriate Splunk Technology Add-ons that are specific to the EDR 
+  product. The logs must also be mapped to the `Filesystem` node of the 
+  `Endpoint` data model. Use the Splunk Common Information Model (CIM) to 
+  normalize the field names and speed up the data modeling process. The 
+  "exceptions" macro leverages both an Assets and Identities lookup, as well as 
+  a KVStore collection called "remote_software_exceptions" that lets you track 
+  and maintain device-based exceptions for this set of detections.
+known_false_positives: Known or approved applications used by the organization 
+  or usage of built-in functions. Known false positives can be added to the 
+  remote_access_software_usage_exception.csv lookup to globally suppress these 
+  situations across all remote access content
 references:
 - https://attack.mitre.org/techniques/T1219/
 - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
@@ -62,8 +64,8 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A file for known a remote access software [$file_name$] was created on
-    $dest$ by $user$.
+  message: A file for known a remote access software [$file_name$] was created 
+    on $dest$ by $user$.
   risk_objects:
   - field: dest
     type: system
@@ -86,6 +88,7 @@ tags:
   - Remote Monitoring and Management Software
   - Cactus Ransomware
   - Seashell Blizzard
+  - Interlock Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1219
@@ -98,6 +101,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/detect_remote_access_software_usage_fileinfo.yml

@@ -1,17 +1,18 @@
 name: Detect Remote Access Software Usage FileInfo
 id: ccad96d7-a48c-4f13-8b9c-9f6a31cba454
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-07-28'
 author: Steven Dick
 status: production
 type: Anomaly
-description: The following analytic detects the execution of processes with file or
-  code signing attributes from known remote access software within the environment.
-  It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote
-  access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity
-  is significant as adversaries often use these tools to maintain unauthorized remote
-  access. If confirmed malicious, this could allow attackers to persist in the environment,
-  potentially leading to data exfiltration or further compromise of the network.
+description: The following analytic detects the execution of processes with file
+  or code signing attributes from known remote access software within the 
+  environment. It leverages Sysmon EventCode 1 data and cross-references a 
+  lookup table of remote access utilities such as AnyDesk, GoToMyPC, LogMeIn, 
+  and TeamViewer. This activity is significant as adversaries often use these 
+  tools to maintain unauthorized remote access. If confirmed malicious, this 
+  could allow attackers to persist in the environment, potentially leading to 
+  data exfiltration or further compromise of the network.
 data_source:
 - Sysmon EventID 1
 search: '`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) as
@@ -22,14 +23,16 @@ search: '`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) a
   remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference
   as desc, category | search isutility = True | `remote_access_software_usage_exceptions`
   | `detect_remote_access_software_usage_fileinfo_filter`'
-how_to_implement: This analytic relies on Sysmon to be properly installed and utilized
-  in the environment. Ensure that proper logging is setup for Sysmon and data is being
-  ingested into Splunk. The "exceptions" macro leverages both an Assets and Identities
-  lookup, as well as a KVStore collection named "remote_software_exceptions" that
-  lets you track and maintain device-based exceptions for this set of detections.
-known_false_positives: Known or approved applications used by the organization or
-  usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv
-  lookup to globally suppress these situations across all remote access content
+how_to_implement: This analytic relies on Sysmon to be properly installed and 
+  utilized in the environment. Ensure that proper logging is setup for Sysmon 
+  and data is being ingested into Splunk. The "exceptions" macro leverages both 
+  an Assets and Identities lookup, as well as a KVStore collection named 
+  "remote_software_exceptions" that lets you track and maintain device-based 
+  exceptions for this set of detections.
+known_false_positives: Known or approved applications used by the organization 
+  or usage of built-in functions. Known false positives can be added to the 
+  remote_access_software_usage_exception.csv lookup to globally suppress these 
+  situations across all remote access content
 references:
 - https://attack.mitre.org/techniques/T1219/
 - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
@@ -53,8 +56,8 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A file attributes for known a remote access software [$process_name$] was
-    detected on $dest$
+  message: A file attributes for known a remote access software [$process_name$]
+    was detected on $dest$
   risk_objects:
   - field: dest
     type: system
@@ -76,6 +79,7 @@ tags:
   - Remote Monitoring and Management Software
   - Cactus Ransomware
   - Seashell Blizzard
+  - Interlock Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1219
@@ -88,6 +92,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/detect_remote_access_software_usage_process.yml

@@ -1,17 +1,20 @@
 name: Detect Remote Access Software Usage Process
 id: ffd5e001-2e34-48f4-97a2-26dc4bb08178
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-07-28'
 author: Steven Dick, Sebastian Wurl, Splunk Community
 status: production
 type: Anomaly
-description: The following analytic detects the execution of known remote access software
-  within the environment. It leverages data from Endpoint Detection and Response (EDR)
-  agents, focusing on process names and parent processes mapped to the Endpoint data
-  model. We then compare with with a list of known remote access software shipped as a lookup file - remote_access_software. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access.
-  If confirmed malicious, this could allow attackers to control systems remotely,
-  exfiltrate data, or deploy additional malware, posing a severe threat to the organization's
-  security.
+description: The following analytic detects the execution of known remote access
+  software within the environment. It leverages data from Endpoint Detection and
+  Response (EDR) agents, focusing on process names and parent processes mapped 
+  to the Endpoint data model. We then compare with with a list of known remote 
+  access software shipped as a lookup file - remote_access_software. This 
+  activity is significant as adversaries often use remote access tools like 
+  AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If
+  confirmed malicious, this could allow attackers to control systems remotely, 
+  exfiltrate data, or deploy additional malware, posing a severe threat to the 
+  organization's security.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
@@ -33,22 +36,25 @@ search: |
   | search isutility = TRUE
   | `remote_access_software_usage_exceptions`
   | `detect_remote_access_software_usage_process_filter`
-how_to_implement: The detection is based on data that originates from Endpoint Detection
-  and Response (EDR) agents. These agents are designed to provide security-related
-  telemetry from the endpoints where the agent is installed. To implement this search,
-  you must ingest logs that contain the process GUID, process name, and parent process.
-  Additionally, you must ingest complete command-line executions. These logs must
-  be processed using the appropriate Splunk Technology Add-ons that are specific to
-  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
-  data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process. The "exceptions" macro leverages both
-  an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions"
-  that lets you track and maintain device- based exceptions for this set of detections.
-known_false_positives: It is possible that legitimate remote access software is used
-  within the environment. Ensure that the lookup is reviewed and updated with any
-  additional remote access software that is used within the environment. Known false
-  positives can be added to the remote_access_software_usage_exception.csv lookup
-  to globally suppress these situations across all remote access content
+how_to_implement: The detection is based on data that originates from Endpoint 
+  Detection and Response (EDR) agents. These agents are designed to provide 
+  security-related telemetry from the endpoints where the agent is installed. To
+  implement this search, you must ingest logs that contain the process GUID, 
+  process name, and parent process. Additionally, you must ingest complete 
+  command-line executions. These logs must be processed using the appropriate 
+  Splunk Technology Add-ons that are specific to the EDR product. The logs must 
+  also be mapped to the `Processes` node of the `Endpoint` data model. Use the 
+  Splunk Common Information Model (CIM) to normalize the field names and speed 
+  up the data modeling process. The "exceptions" macro leverages both an Assets 
+  and Identities lookup, as well as a KVStore collection called 
+  "remote_software_exceptions" that lets you track and maintain device- based 
+  exceptions for this set of detections.
+known_false_positives: It is possible that legitimate remote access software is 
+  used within the environment. Ensure that the lookup is reviewed and updated 
+  with any additional remote access software that is used within the 
+  environment. Known false positives can be added to the 
+  remote_access_software_usage_exception.csv lookup to globally suppress these 
+  situations across all remote access content
 references:
 - https://attack.mitre.org/techniques/T1219/
 - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
@@ -72,8 +78,8 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A process for a known remote access software $process_name$ was identified
-    on $dest$.
+  message: A process for a known remote access software $process_name$ was 
+    identified on $dest$.
   risk_objects:
   - field: dest
     type: system
@@ -96,6 +102,7 @@ tags:
   - Remote Monitoring and Management Software
   - Cactus Ransomware
   - Seashell Blizzard
+  - Interlock Ransomware
   asset_type: Endpoint
   mitre_attack_id:
   - T1219
@@ -108,9 +115,11 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog