heroui logo

File with Samsam Extension

Splunk Security Content

View Source
Summary
This detection rule identifies file write activities associated with potential SamSam ransomware attacks by monitoring for specific unusual file extensions. The extensions targeted include .stubbin, .berkshire, .satoshi, .sophos, and .keyxml, which are indicative of this type of malware. By analyzing file-system activity from various data sources like Sysmon and Windows Event Logs, the rule aims to highlight malicious events that could lead to significant operational disruptions and financial losses if ransomware is confirmed. The rule emphasizes the need for immediate response measures such as isolating affected systems, restoring files, and conducting thorough investigations to prevent future incidents. The implementation requires proper data ingestion strategies, particularly through Sysmon, to effectively populate the Endpoint file-system data model in Splunk.
Categories
  • Endpoint
Data Sources
  • Windows Registry
  • File
  • Process
ATT&CK Techniques
  • T1036.003
Created: 2024-11-13