Reconstructing Ransomware Infection Vectors from Multi-Source Log Evidence

network_forensics_pcap Difficulté 1–5 30 min certifiable

Théorie

Why This Matters

Ransomware incident response begins with a fundamental question: how did the attacker get in? Without identifying the initial access vector, organisations cannot close the entry point, cannot assess whether data was exfiltrated before encryption, and cannot determine whether the attacker retains persistent access that will enable a second attack. The 2021 Kaseya VSA attack exploited a web application vulnerability; the same year's JBS Foods attack began with compromised RDP credentials. Different initial access vectors leave completely different forensic signatures across MTA logs, firewall logs, authentication logs, and endpoint telemetry. An analyst who can identify the vector from log evidence provides the critical first link in the kill chain.

Core Concept

Ransomware initial access vectors and their primary forensic log sources:

Phishing / malicious attachment: - MTA logs (Postfix, Exchange, O365 Message Trace) show delivery of the malicious message - Attachment filename, sender domain, and recipient appear in MTA logs - Endpoint: Office Trust Center logs (macro execution), Sysmon Event 1 (child process of WINWORD.EXE) - Network: DNS query and HTTP connection to staging server shortly after document opening

RDP brute force / credential stuffing: - Windows Event 4625 cluster from external IP against port 3389 - Successful 4624 logon type 10 (RemoteInteractive) shortly after - Security log on the RDP target records the source IP and account

Exploitation of internet-facing service: - Web server access logs show the exploit request (unusual HTTP method, path, or POST body size) - WAF logs record block or allow decisions for the request - Sysmon Event 1: web server process (w3wp.exe, httpd, tomcat) spawning cmd.exe or powershell.exe

Malicious macro / Office document: - Windows Event 4688: WINWORD.EXE or EXCEL.EXE spawning powershell.exe or cmd.exe - Sysmon Event 7: suspicious DLL loaded into Office process - Registry: HKCUSoftwareMicrosoftOfficeWordSecurityVBAWarnings value changes

Technical Deep-Dive

-- Splunk: detect Office process spawning shells (macro-based initial access)
index=sysmon EventCode=1
| where match(ParentImage, "(?i)(WINWORD|EXCEL|POWERPNT|OUTLOOK).EXE")
  AND match(Image, "(?i)(cmd.exe|powershell|wscript|cscript|mshta|certutil|bitsadmin)")
| table _time ComputerName ParentImage Image CommandLine
| sort _time

-- Splunk: RDP brute force leading to success
index=wineventlog (EventCode=4625 OR EventCode=4624) Logon_Type IN (3,10)
| stats count(eval(EventCode=4625)) AS failures
        count(eval(EventCode=4624)) AS successes
        earliest(_time) AS first_attempt
  BY Source_Network_Address Account_Name
| where failures > 15 AND successes > 0
| sort -failures

# Parse MTA logs (Postfix) for suspicious attachment delivery
grep "status=sent" /var/log/mail.log 
  | awk '''{print $7, $8, $9}''' | head -20

# Exchange/O365: PowerShell — get message trace for specific time window
# Get-MessageTrace -StartDate "2024-03-15" -EndDate "2024-03-16" |
#   Where-Object {$_.Status -eq "Delivered"} |
#   Select-Object SenderAddress, RecipientAddress, Subject, Received |
#   Export-Csv mail_trace.csv

# Web server exploitation: find requests that spawned child processes
# Correlate nginx access log timestamps with Sysmon Event 1 timestamps
grep "2024:03:15:10:2[3-5]" /var/log/nginx/access.log 
  | awk '''{print $1, $4, $6, $7, $9}''' | head -20

# Look for exploit-typical POST bodies: long URIs, unusual content types
awk 'length($7) > 200 || $9 == 500' /var/log/nginx/access.log | head -10

Analytical Methodology

Establish the earliest confirmed malicious event on the affected endpoint: the first process, file, or network event that is definitively attacker-controlled. This anchors the initial access time.
Work backwards from the anchor: within the 30 minutes preceding the anchor event, what logs exist? Look for: email delivery of a suspicious attachment (MTA logs), a successful RDP logon from an external IP (Event 4624 logon type 10), or an unusual HTTP request to a web-facing service (access logs).
Phishing vector investigation: query MTA logs for the recipient account, within 2 hours before the anchor event. Identify any message with an attachment delivered to that account. Extract sender domain, attachment filename, and message timestamp. Cross-reference against threat intelligence for the sender domain and any URLs in the body.
RDP vector investigation: on the compromised host, search Event 4625 for the 24 hours before compromise. Identify any external IP generating more than 10 failures. Check whether a successful logon type 10 (4624) followed. If yes, the compromised account and attacker IP are identified.
Web exploitation investigation: review web server access logs for requests matching the compromise timestamp ±10 minutes. Look for: unusual HTTP methods (PUT, TRACE, OPTIONS on unexpected paths), POST bodies exceeding 10KB to login or upload endpoints, requests returning HTTP 500 with subsequently unusual activity, or requests with command injection patterns in parameters.
Identify the first outbound network connection after the malicious process started. This is typically a staging server, C2 beacon, or data exfiltration endpoint. Note the destination IP, port, and DNS resolution.
Reconstruct the full timeline: initial access event → first malicious process → privilege escalation → lateral movement → encryption trigger. Each phase should be evidenced by a log entry.
Document the infection vector definitively. Include: the log source, specific log entry, timestamp, and the causal chain linking it to confirmed malicious activity.

Common Analytical Errors

Anchoring too late: Analysts who start at the encryption event (ransomware notification) and work backwards often stop at the earliest malware execution on the patient-zero host. The true initial access may be hours or days earlier — keep searching backwards.
Ignoring legitimate-looking access: Phishing attachments are opened by the actual user; the MTA log entry shows a legitimate delivery, not a suspicious one. Do not dismiss delivered messages as benign — examine attachment names and sender domains carefully.
Missing the staging download: Many ransomware operators use a dropper that downloads the actual ransomware payload from a staging server. The initial access event delivers only the dropper. Look for the download event (HTTP GET, PowerShell Invoke-WebRequest, certutil -urlcache) as a separate link in the chain.
Attributing to the wrong account: RDP brute-force attacks may target multiple accounts. The account used for initial access may differ from the account used for lateral movement. Trace each account separately.

NICE Framework Alignment

Code	Work Role Knowledge / Skill / Task	Relevance
K0046	Knowledge of intrusion detection methodologies	Identifying initial access vectors requires correlating disparate log sources and detection techniques
K0145	Knowledge of security event correlation tools	Multi-source SIEM correlation (MTA + endpoint + network logs) to establish infection timeline
K0187	Knowledge of file type abuse by adversaries	Malicious Office documents, PDFs, and archive files are primary delivery vehicles for ransomware droppers
S0047	Skill in preserving evidence integrity	MTA log export, web access log collection, and event log preservation before system rebuild
T0049	Decrypt seized data / analyze forensic artifacts	Analysing email headers and attachment metadata to confirm phishing delivery as initial access vector