Detection of WannaCry using Splunk and Sysmon

Motta López, Henry

Öffnen

PUPR_SJU_WI21_MCS_Henry Motta López_Article (247.7Kb)

PUPR_SJU_WI21_MCS_Henry Motta López_Poster (409.6Kb)

Datum

2021

Autor

Motta López, Henry

Metadata

Zur Langanzeige

Zusammenfassung

Lately, ransomware keeps being an important topic of conversation around the information security communities, as well as politics and economics. It has caused major damage in all these sectors and researchers must keep evolving as ransomware doe finding new ways to detect and remove the threat. Ransomware’s sophisticated encryption and propagation schemes limit the security team’s chances of recovering data to almost zero. The researcher investigated the use of Splunk Enterprise combined with Sysmon to detect and explore a specific ransomware threat. For proof of concept, the researcher used a WannaCry sample to detect the first time it was executed. This way, an investigation can be done, and alerts can be configured to better aid the incident response team. This solution detects ransomware file creation through the Splunk search query using Sysmon event codes. Key Words – Detection, Ransomware, Splunk, Sysmon.

URI

http://hdl.handle.net/20.500.12475/1419

Collections

Computer Science