
Anatomy of the Osiris Campaign: A New Chapter in Modern Ransomware
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1204.002 - Malicious File
ID | Name | Analytic ID | Analytic Description |
User Execution – Malicious File via download/open → spawn chain (T1204.002) | User opens a file delivered by email, web, chat, or share. The handler application (Word/PDF reader/archiver) creates a file in user-controlled paths (Downloads, Temp, Desktop) and then spawns a new or unusual child process (e.g., powershell.exe, wscript.exe, cmd.exe, regsvr32.exe, rundll32.exe, msiexec.exe). Optional precursors include FileStreamCreated (URL/UNC) and Office → system32 batch writes. | ||
User opens a downloaded document/installer leading to EndpointSecurity file create in ~/Downloads or ~/Library paths then an exec of a suspicious utility (osascript, bash/zsh, curl, chmod, open with -a Terminal). Correlates File Creation with subsequent process exec and, optionally, quarantine/LSQuarantine events. | |||
User or desktop application writes a new file to ~/Downloads, /tmp, or mounted removable media followed by execve of a risky interpreter/loader (bash, sh, python, perl, php, node, curl|wget piping to sh, ld.so, rdesktop, xdg-open - with unusual args). Uses auditd PATH+SYSCALL (open/creat/write/rename) with execve event linking. |
T1543.003 - Windows Service
ID | Name | Analytic ID | Analytic Description |
Detects creation or modification of Windows Services through command-line tools (e.g., sc.exe, powershell.exe), Registry key changes under HKLM\System\CurrentControlSet\Services, and service execution under SYSTEM with unsigned or anomalous binary paths. Detects privilege escalation via driver installation or CreateServiceW usage. Correlates parent-child lineage, startup behavior, and rare service names. |
T1074.002 - Remote Data Staging
ID | Name | Analytic ID | Analytic Description |
Detects file transfers or mounting operations from remote hosts followed by write actions into a local staging directory, often using SMB or remote shell activity. | |||
Detects inbound SCP, rsync, or NFS mounts from remote systems followed by aggregation of files into known staging paths like /mnt/staging or /var/tmp. | |||
Detects rsync or scp inbound from other hosts that then aggregate content into /Users/Shared or /private/tmp, often involving compressed files or scripts. | |||
Detects remote writes or snapshots mounted from other systems into a central ESXi VMFS path or NFS store used for remote staging of files before exfiltration. | |||
Detects remote write activity across cloud VMs or object storage buckets within the same region/account that correlate with data aggregation across hosts. |
T1036 - Masquerading
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy | Adversary renames LOLBINs or deploys binaries with spoofed file names, internal PE metadata, or misleading icons to appear legitimate. File creation is followed by execution or service registration inconsistent with known usage. | ||
Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop. | |||
Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup. | |||
Adversary uses renamed container images, injects files into containers with misleading names or metadata (e.g., renamed system binaries), and executes them during startup or scheduled jobs. | |||
Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds. |
T1055 - Process Injection
ID | Name | Analytic ID | Analytic Description |
Detects process injection by correlating memory manipulation API calls (e.g., VirtualAllocEx, WriteProcessMemory), suspicious thread creation (e.g., CreateRemoteThread), and unusual DLL loads within another process's context. | |||
Detects ptrace- or memfd-based process injection through audit logs capturing system calls (e.g., ptrace, mmap) targeting running processes along with suspicious file descriptors or memory writes. | |||
Detects memory-based injection by monitoring task_for_pid, mach_vm_write, and dylib injection patterns through DYLD_INSERT_LIBRARIES or manual memory mapping. |
T1112 - Modify Registry
ID | Name | Analytic ID | Analytic Description |
Behavior chain involving abnormal registry modifications via CLI, PowerShell, WMI, or direct API calls, especially targeting persistence, privilege escalation, or defense evasion keys, potentially followed by service restart or process execution. Such as editing Notify/Userinit/Startup keys, or disabling SafeDllSearchMode. |
T1003.001 - LSASS Memory
ID | Name | Analytic ID | Analytic Description |
Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence | A non-privileged or abnormal process attempts to open a handle with full access (0x1F0FFF) to lsass.exe and subsequently invokes memory dump, file creation, or registry modification indicative of credential scraping. This behavior chain reflects staged credential theft activity. |
T1562.001 - Disable or Modify Tools
ID | Name | Analytic ID | Analytic Description |
Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms. | Detection of adversary behavior that disables or modifies security tools, including killing AV/EDR processes, stopping services, altering Sysmon registry keys, or tampering with exclusion lists. Defenders observe process/service termination, registry modification, and abnormal absence of expected telemetry. | ||
Detection of adversaries attempting to stop or disable host-based security agents by killing daemons, unloading kernel modules, or modifying init/systemd service configurations. | |||
Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration profiles, or using security/uninstall commands to remove agents. | |||
Detection of adversaries disabling cloud monitoring and logging agents such as CloudWatch, Google Cloud Monitoring, or Azure Monitor by API calls or agent process termination. | |||
Detection of adversaries tampering with container runtime security plugins, disabling admission controllers, or stopping monitoring sidecars. | |||
Detection of adversaries modifying startup configuration files to disable signature verification, logging, or monitoring features. |
T1078 - Valid Accounts
ID | Name | Analytic ID | Analytic Description |
Detection of compromised or misused valid accounts via anomalous logon patterns, abnormal logon types, and inconsistent geographic or time-based activity across Windows endpoints. | |||
Detection of valid account misuse through SSH logins, sudo/su abuse, and service account anomalies outside expected patterns. | |||
Detection of interactive and remote logins by service accounts or users at unusual times, with unexpected child process activity. | |||
Detection of valid account abuse in IdP logs via geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures. | |||
Detection of containerized service accounts or compromised kubeconfigs being used for cluster access from unexpected nodes or IPs. |
T1027 - Obfuscated Files or Information
ID | Name | Analytic ID | Analytic Description |
Correlates script execution or suspicious parent processes with creation or modification of encoded, compressed, or encrypted file formats (e.g., .zip, .7z, .enc) and abnormal command-line syntax or PowerShell obfuscation. | |||
Detects use of gzip, base64, tar, or openssl in scripts or commands that encode/encrypt files after file staging or system enumeration. | |||
Monitors use of archive or encryption tools (zip, openssl) tied to user-scripted activity or binaries writing encoded payloads under /Users or /Volumes. | |||
Identifies transfer of base64, uuencoded, or high-entropy files over HTTP, FTP, or custom protocols in lateral movement or exfiltration streams. | |||
Detects encoded PowerCLI or Base64-encoded payloads staged via datastore uploads or shell access (e.g., ESXi Shell or backdoored VIBs). |
T1486 - Data Encrypted for Impact
ID | Name | Analytic ID | Analytic Description |
High-frequency file write operations using uncommon extensions, followed by ransom note creation, registry tampering, or shadow copy deletion. Often uses CLI tools like vssadmin, wbadmin, cipher, or PowerShell. | |||
Encryption via custom or open-source tools (e.g., openssl, gpg, aescrypt) recursively targeting user or system directories. Also includes overwrite of existing data and ransom note drops. | |||
Userland or kernel-level ransomware encrypting user files (Documents, Desktop) using srm, gpg, or compiled payloads. Often correlated with ransom note creation in multiple directories. | |||
Ransomware encrypts .vmdk, .vmx, .log, or VM config files in VMFS datastores. May rename to .locked or delete/overwrite with encrypted versions. Often correlates with shell commands run through dcui, SSH, or vSphere. | |||
Encryption of cloud storage objects (e.g., S3 buckets) via Server-Side Encryption (SSE-C) or by replacing objects with encrypted variants. May include API patterns like PutObject with SSE-C headers. |
T1567.002 - Exfiltration to Cloud Storage
ID | Name | Analytic ID | Analytic Description |
Unusual processes (e.g., powershell.exe, excel.exe) accessing large local files and subsequently initiating HTTPS POST requests to domains associated with cloud storage services (e.g., dropbox.com, drive.google.com, box.com). Defender perspective: correlation between file reads in sensitive directories and high outbound traffic volume to known storage APIs. | |||
Processes such as curl, wget, rclone, or custom scripts executing uploads to cloud storage endpoints. Defender perspective: detect chained events where tar/gzip is executed to compress files followed by HTTPS PUT/POST requests to known storage services. | |||
Applications or scripts invoking cloud storage APIs (Dropbox sync, iCloud, Google Drive client) in unexpected contexts. Defender perspective: detect sensitive file reads by non-standard applications followed by unusual encrypted uploads to external cloud storage domains. | |||
Unusual ESXi processes (vmx, hostd) reading datastore files and generating outbound HTTPS traffic toward external cloud storage endpoints. Defender perspective: anomalous datastore activity followed by network transfers to Dropbox, AWS S3, or other storage services. |
T1570 - Lateral Tool Transfer
ID | Name | Analytic ID | Analytic Description |
Detection Strategy for Lateral Tool Transfer across OS platforms | Correlate suspicious file transfers over SMB or Admin$ shares with process creation events (e.g., cmd.exe, powershell.exe, certutil.exe) that do not align with normal administrative behavior. Detect remote file writes followed by execution of transferred binaries. | ||
Monitor scp, rsync, curl, sftp, or ftp processes initiating transfers to internal systems combined with file creation events in unusual directories. Correlate transfer activity with subsequent execution of those binaries. | |||
Detect anomalous use of scp, rsync, curl, or third-party sync apps transferring executables into user directories. Correlate new file creation with immediate execution events. | |||
Identify lateral transfer via datastore file uploads or internal scp/ssh sessions that result in new VMX/VMDK or script files. Correlate transfer with VM execution or datastore modification. |
T1059.003 - Windows Command Shell
ID | Name | Analytic ID | Analytic Description |
Detects interactive or scripted abuse of cmd.exe, batch files, or shell invocation chains. Focuses on parent-child relationships (e.g., cmd.exe launched from unusual parents), anomalous command-line parameters, and chaining with discovery, credential access, or lateral movement behaviors. |
T1070.004 - File Deletion
ID | Name | Analytic ID | Analytic Description |
Detects adversary behavior deleting artifacts (e.g., dropped payloads, evidence files) using native or external utilities (e.g., del, erase, SDelete). Detects deletion events correlated with unusual process lineage or timing post-execution. | |||
Detects deletion of suspicious files (e.g., payloads, temp exes, scripts) via rm, unlink, or secure deletion tools like shred, especially when performed by unexpected users or shortly after execution. | |||
Detects removal of adversary artifacts via rm, unlink, or secure tools, with focus on shell sessions, temp files, and modified LaunchAgents or system directories. | |||
Detects manual or scripted removal of logs, artifacts, or malware droppings via rm or PowerCLI in ESXi shell. Focus on deletions from /tmp/, /var/core/, or /scratch. |
T1021.001 - Remote Desktop Protocol
ID | Name | Analytic ID | Analytic Description |
Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity | Remote Desktop (RDP) logon by a user followed by unusual process execution, file access, or lateral movement activity within a short timeframe. |
T1569.002 - Service Execution
ID | Name | Analytic ID | Analytic Description |
Detection focuses on abnormal service executions initiated via service control manager APIs, sc.exe, net.exe, or PsExec creating temporary services. Defenders observe process creation of services.exe spawning non-standard binaries, registry changes in service keys followed by rapid execution, and network connections originating from processes tied to transient services. Correlation across process lineage, registry activity, and service logs provides strong signals of malicious service execution. |
T1490 - Inhibit System Recovery
ID | Name | Analytic ID | Analytic Description |
Process chains that use native utilities (vssadmin, wbadmin, diskshadow, bcdedit, REAgentC, wmic) with arguments to delete shadow copies, disable recovery, or remove backup catalogs | |||
Shell utilities or scripts deleting /etc/systemd/system/rescue.target, /etc/fstab backups, or /boot/efi partitions; chattr used to block snapshot auto-recovery | |||
ESXi shell or vim-cmd execution that deletes all VM snapshots using vmsvc/snapshot.removeall or rm on snapshot paths | |||
Execution of erase, format, and reload in immediate sequence from a privileged AAA session | |||
Cloud API calls disabling snapshot scheduling, backup policies, versioning, followed by DeleteSnapshot/DeleteVolume operations |