Ryuk Wake on LAN Command

Rule added on 20th February, 2024

Prerequisite:

The rule requires sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to identify the usage of the Wake-on-LAN (WoL) command by the Ryuk ransomware to turn on powered-down devices within a compromised network.

Data source

Windows: Network traffic, process, script

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0001 - Initial Access, TA0003 - Persistence, TA006 - Credential Access

Techniques: T1189 - Drive-by Compromise, T1547 - Boot or Logon Autostart Execution, T1555 - Credentials from Password Stores

Sub-techniques: T1555.003 - Credentials from Password Stores: Credentials from Web Browser

Criteria:

The rule searches for events containing command lines with either of the following keywords:

  • "8 LAN": This indicates an attempt to retrieve ARP cache entries. ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. In this context, Ryuk might be trying to identify other machines on the network for malicious purposes.
  • "9 REP":This suggests the Ryuk process is replicating itself to spread the infection. Replication typically involves copying the Ryuk process onto other computers on the network.

When to enable this rule:

Enable this rule when the user wants to detect lateral movement within the network by Ryuk ransomware.

This correlation rule focuses on identifying the Wake-on-LAN functionality used by Ryuk to target and potentially encrypt offline devices on the network.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

  • NIST Cybersecurity Framework (CSF): RS.MI (Mitigation) to mitigate the spread of ransomware like Ryuk through network commands.
  • CIS Control:12 (Boundary Defense) to detect and prevent malicious network traffic associated with command and control.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis:Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.