Ransomware Deployment

Routine reviews of user accounts and their associated privileges and permissions should be conducted to identify overly-permissive accounts, or accounts that are no longer required to be active.

By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.

An anti-virus solution detect and alert on malicious files, including the ability to take autonomous actions such as quarantining or deleting the flagged file.

Network Access Control (NAC) manages and regulates devices accessing a organization's network(s), including personal devices under a Bring Your Own Device (BYOD) policy. NAC systems ensure that only authorized and compliant devices can connect to the network, reducing security risks.
 

NAC performs the following functions:

• Device Authentication and Authorization: Checks whether the device meets the organization’s security policies before granting access.
• Compliance Checks: Verifies that devices have up-to-date security patches and configurations. Non-compliant devices may be denied access or placed in a quarantined network zone.
• Segmentation and Isolation: Restricts devices' access to sensitive areas, limiting potential impact from compromised devices.
• Continuous Monitoring: Tracks connected devices for ongoing compliance and can automatically quarantine or disconnect those that fall out of compliance.
• Policy Enforcement: Applies security policies to ensure devices can only access appropriate resources based on their security status.

NAC functionality can be provided by dedicated NAC appliances, next-generation firewalls, unified threat management devices, and some network switches and routers.

Network Intrusion Prevention Systems (NIPs) can alert on abnormal, suspicious, or malicious patterns of network behavior, and take autonomous actions to stop the behavior, such as resetting a network connection.

Next-generation firewall (NGFW) network appliances and services provide the ability to control network traffic based on rules. These firewalls provide basic firewall functionality, such as simple packet filtering based on static rules and track the state of network connections. They can also provide the ability to control network traffic based on Application Layer rules, among other advanced features to control network traffic.

A example of simple functionality would be blocking network traffic to or from a specific IP address, or all network traffic to a specific port number. An example of more advanced functionality would be blocking all network traffic that appears to be SSH or FTP traffic to any port on any IP address.

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

Audit Logs are records generated by systems and applications to document activities and changes within an environment. They provide an account of events, including user actions, system modifications, and access patterns.

Recent modifications to the ConsoleHost_history.txt file located in C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine may indicate the file has been deleted and subsequently automatically recreated by the Operating System. This may represent an anti-forensics technique if the subject in question is known to have used PowerShell any time prior to the “Created” timestamp of the ConsoleHost_history.txt file.

If the ConsoleHost_history.txt file located in C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine, is missing, this indicates that the file has been deleted. This may represent an anti-forensics technique if the subject in question is known to have used PowerShell any time.

By using files with canary tokens as tripwires, investigators can create an early warning system for potential collection activities before a data exfiltration infringement occurs.

By strategically placing these files on endpoints, network shares, FTP servers, and collaboration platforms such as SharePoint or OneDrive, the canaries monitor for access and automatically trigger an alert if an action is detected.

A honeypot is a decoy system that mimics a legitimate system or service, enticing a malicious actor to interact with it. It records any interaction for later review.

Implement Deep Packet Inspection (DPI) tools to inspect the content of network packets beyond the header information. DPI can identify unusual patterns and hidden data within legitimate protocols. DPI can be conducted with a range of software and hardware solutions, such as Unified Threat Management (UTM) and Next-Generation Firewalls (NGFWs), as well as Intrusion Detection and Prevention Systems (IDPS) such as Snort and Suricata, 

Logging DNS requests made by corporate devices can assist with identifying what web resources a system has attempted to or successfully accessed.

Monitor outbound DNS traffic for unusual or suspicious queries that may indicate DNS tunneling. DNS monitoring entails observing and analyzing Domain Name System (DNS) queries and responses to identify abnormal or malicious activities. This can be achieved using various security platforms and network appliances, including Network Intrusion Detection Systems (NIDS), specialized DNS services, and Security Information and Event Management (SIEM) systems that process DNS logs.

File Integrity Monitoring (FIM) is a technical prevention mechanism designed to detect unauthorized modification, deletion, or creation of files and configurations on monitored systems. The most basic implementation method is cryptographic hash comparison, where a known-good baseline (typically SHA256 or SHA1) is calculated and stored for monitored files. At regular intervals (or in real time) current file states are re-hashed and compared to the baseline. Any discrepancy in hash value, size, permissions, or timestamp is flagged as an integrity violation.

While hash comparison is foundational, mature File Integrity Monitoring (FIM) solutions incorporate additional telemetry and instrumentation to increase forensic depth, reduce false positives, and support attribution:

• ACL and Permission Monitoring: Captures unauthorized changes to file ownership, execution flags (e.g. chmod +x), NTFS permissions, or group inheritance, critical for detecting silent privilege escalation.
• Timestamp Integrity Checks: Monitors for retroactive or unnatural changes to creation, modification, and access timestamps, commonly associated with anti-forensic behaviors such as timestomping.
• Event-based Hooks: Leverages OS-native event subsystems (e.g. Windows ETW, USN Journal; Linux inotify, auditd, fanotify) to trigger high-fidelity alerts on file system activity without waiting for interval-based scans.
• Process Attribution: Enriches FIM events with the user identity, process name, PID, and command line responsible for the change, enabling precise correlation with session logs, drift indicators, and subject behavior.
• Snapshot or Versioned Comparisons: Enables file state diffing across time, including rollback of modified artifacts or analysis of change sequences (common in forensic suites and some EDR platforms).

To be effective in insider threat contexts, File Integrity Monitoring should be explicitly tuned to monitor (at minimum):

• Executable and script directories (%ProgramFiles%, %APPDATA%, /usr/local/bin/, /opt/)
• Configuration and runtime paths (/etc/, C:\Windows\System32\Config, container volumes)
• Security logs, audit trails, and telemetry agents (.evtx, /var/log/, SIEM client logs)
• Credential storage and secrets locations (browser credential stores, password vaults, keyrings, .env files)
• Backup and recovery tooling (scripts, snapshot schedulers, and volume metadata)

In ransomware or destruction scenarios, File Integrity Monitoring can detect the early stages of detonation by identifying rapid, high-volume file modifications and hash changes, particularly in mapped drives, document repositories, and shared storage. This can serve as a trigger for containment actions and/or investigation before full encryption completes, especially when correlated with process telemetry and known ransomware behaviors (e.g. deletion of shadow copies, entropy spikes).

When tuned and deployed appropriately, File Integrity Monitoring provides a high-fidelity signal of tampering, staging, or covert access attempts, even when other telemetry (e.g. signature-based detection or anomaly modeling) fails to trigger. This makes it particularly valuable in environments where subjects have elevated access, control over telemetry agents, or knowledge of investigative blind spots.

The MRU (Most Recently Used) Map Network Drive is a Windows registry key located at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU. This key stores information about recently mapped network drives. By examining the entries in this key, investigators can identify which network drives were mapped by the computer to which drive letter.

The .bash_history file, located within a user's directory on MacOS and Linux, is written with command history from shell sessions.

If the file is missing, this could indicate that it has been deleted, if a user account has used a shell utility previously.

Analyze network flow data (NetFlow) to identify unusual communication patterns and potential tunneling activities. Flow data offers insights into the volume, direction, and nature of traffic.

NetFlow, a protocol developed by Cisco, captures and records metadata about network flows—such as source and destination IP addresses, ports, and the amount of data transferred.

Various network appliances support NetFlow, including Next-Generation Firewalls (NGFWs), network routers and switches, and dedicated NetFlow collectors.

Network Intrusion Detection Systems (NIDS) can alert on abnormal, suspicious, or malicious patterns of network behavior. 

Deploy User and Entity Behavior Analytics (UEBA) solutions designed for cloud environments to monitor and analyze the behavior of users, applications, network devices, servers, and other non-human resources. UEBA systems track normal behavior patterns and detect anomalies that could indicate potential insider events. For instance, they can identify when a user or entity is downloading unusually large volumes of data, accessing an excessive number of resources, or engaging in data transfers that deviate from their usual behavior.

Implement User Behavior Analytics (UBA) tools to continuously monitor and analyze user (human) activities, detecting anomalies that may signal security risks. UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. UBA can also provide real-time alerts when users engage in behavior that deviates from established baselines, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider events.

To identify events where shadow copies are being deleted on a Windows system, command-line arguments should be monitored for the string “vssadmin delete shadows,” which represents the initial syntax of a command to delete shadows with the vssadmin utility.

Windows Event Log ID 4660 “An object was deleted” is generated when an object was deleted, such as a file system, kernel, or registry object. This Event is not enabled by default, and requires “Delete” auditing to be enabled in the object’s System Access Control List (SACL). This event doesn’t contain the name of the deleted object, so investigators must also utilize Event ID 4663.

Windows Event Log ID 4663 “An attempt was made to access an object” can be used in combination with Event ID 4660 to track object deletion. This Event is not enabled by default, and requires “Delete” auditing to be enabled in the object’s System Access Control List (SACL).

This may represent an anti-forensics technique if there is no reasonable explanation for why the objected was deleted from the system.

Windows Event Log ID 1102 “The audit log was cleared” is generated when the Windows Security audit log has been cleared. This Event contains the account's SID, name, and domain that cleared the log.

This may represent an anti-forensics technique if there is no reasonable explanation for why the Event Log was cleared on this system.