How to create correlation rule for threat detection in RuSIEM. In case - Ransomware Win32/Diskcoder.Petya.C Video for this presentation: https://youtu.be/WK5q26iE09I

1. HOW TO CREATE
CORRELATION RULE FOR
THREAT DETECTION
IN RUSIEM
CEO RuSIEM
Olesya Shelestova
https://rusiem.com
support@rusiem.com
In case - detection ransomware
Win32/Diskcoder.Petya.C

2. EXAMPLE THREAT
• Consider as an example a real threat:
Ransomware Win32/Diskcoder.Petya.C

3. • You can not rely on patches that cover a vulnerability when
creating a correlation rule.
• At any time, a host may appear on which the patch is not
installed. And you will not know about it at the most
inopportune moment

4. WHAT ARE YOU NEED?
• Discover. Even if at the moment you do not have a threat.
• Automatic detection
• Real time detection
• Notifications (email/incident in workflow)

5. WHAT YOU NEED TO UNDERSTAND FIRST
Threat:
• Attack vectors (vulnerability, local/network, exploited software
versions, …)
• Distribution method (email/attachments/network/banners/sites)
• Explore news for threat definition/signature
How to detect:
• Process/network/hash
• Event logs/Cyber security systems (IDS/DPI/Network
Analyzers/Antivirus/etc)

6. SCENARIO #1
1. You have an information security tool that detects a threat
2. SIEM receives a ready-made threat decision event
3. SIEM prioritizes the threat by the rule of correlation, reduce
the number of false positives and records the fact of the
incident. Notifies send to you (or remediation group) by mail.

7. SCENARIO #2
1. You have a number of different software or hardware tools that
provide information about processes, email, network connections,
hashes.
2. It can be: windows event logs, firewalls, syslog, IDS, flow, network
analyzers and other.
3. SIEM will receive simple events from these sources, check for
correlations and detect incidents.
4. SIEM prioritizes the threat by the rule of correlation, reduce the
number of false positives and records the fact of the incident.
Notifies send to you (or remediation group) by mail.

8. DIFFERENCE BETWEEN SCENARIO
1. In fact: you are faster than IDS / AV vendors can create a signature
yourself.
2. The difference between the #1 and #2 scenarios is that in the case
of correlation rules in SIEM, you get a more manageable centralized
system.
3. There is no need to write rules for many different systems and
monitor their deploy.
4. In practice, SIEM receives much more information for guaranteed
threat detection.
5. In SIEM correlation rules it is possible to reduce the number of false
positives.
6. In any case, processes of incident management and real-time
response are needed. This does not have a classic protection

9. LOOK GOOGLE FOR THREAT
Win32/Diskcoder.Pety
a.C
Process
Remote WMI, “process call create
"C:WindowsSystem32rundll32.exe
"C:Windowsperfc.dat" #1”
Email
src/dst
Connect to
hosts
mshta.exe
%WINDIR%System32ms
hta.exe"
"C:myguy.xls.hta"
185.165.29.78
84.200.16.242
111.90.139.247
95.141.115.108
wowsmith123456@posteo.net
iva76y3pr@outlook.com
carmellar4hegp@outlook.com
amanda44i8sq@outlook.com

10. OUR PATH
• We will detect Win32/Diskcoder.Petya in this case by dst.ip
(C&C) and sha1/sha256 hashes
• Arrays of values put in the lists to be able to quickly change
and add new values
• When IDSs are updated - we will record incidents and by their
warnings
• If you have enabled audit on file servers – we also may create
common rule. Example, “changes 100 or more files in 60
seconds”

11. CREATE LIST FOR IP ADDRESSES

12. CREATE LIST FOR SHA1 AND SHA256 HASHES

13. CREATE CORRELATION RULE FOR DETECT
BY HASH

14. CREATE RULE FOR DETECTION BY DST.IP

15. ATTENTION !
• Be sure to test the created rule in a real infrastructure !
• You can always create or emulate the connection, the test
process, the other symptom of the threat for verification
• If an incident happens - it will be too late.

16. TEST THE CREATED RULE, CHECK THE INCIDENT

17. THANK YOU
support@rusiem.com
https://rusiem.com
https://t.me/rusiem
https://facebook.com/rvsiem Tags: #rvsiem #rusiem
Software: RuSIEM, free RvSIEM