Techniques
Sample rules
Revil Common Exec Parameter
- source: splunk
- technicques:
- T1204
Description
The following analytic detects the execution of command-line parameters commonly associated with REVIL ransomware, such as “-nolan”, “-nolocal”, “-fast”, and “-full”. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs mapped to the Processes node of the Endpoint data model. This activity is significant because these parameters are indicative of ransomware attempting to encrypt files on a compromised machine. If confirmed malicious, this could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "* -nolan *" OR Processes.process = "* -nolocal *" OR Processes.process = "* -fast *" OR Processes.process = "* -full *" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `revil_common_exec_parameter_filter`