Summary:  The Third Wall Ransomware Monitor will alert you when a 'bait' file has been tampered, potentially alerting you to an attack in progress.  We have seen external applications, such as OneDrive, generate false-alarms for this monitor.  This document will help determine the causes for these alarms by demonstrating how to view the user and process which made modifications to the bait file(s).


Setup:  All listed actions are to be performed on the remote computer that is running the Ransomware Monitor.  All listed steps must be executed fully to realize results.


  1. Ensure the remote is not running the Third Wall 'Enhance Security Event Logging' policy.  If it is, apply an exception to the computer from the policy.  The Enhance Security Event Logging policy will disable Object Access auditing which is required to view the source of changes to the bait files.
  2. Modify the Object Access auditing setting.  This command line will apply the appropriate setting:
    auditpol /set /subcategory:{0CCE921D-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
  3. Verify the Object Access auditing setting.  This command line will display the computer's current setting:
    auditpol /get /Subcategory:{0CCE921D-69AE-11D9-BED3-505054503030}
    Returns should show 'enabled' for both failures and successes.
  4. Modify the Audit Settings on the bait files.
    1. Navigate to the bait files in Explorer.
    2. Right-click a file and select Properties.  This will open the 'Properties' window.
    3. On the freshly opened 'Properties' window, click to select the 'Security' tab.
    4. Press the 'Advanced' button.  This will open the 'Advanced Security Settings' window.
    5. On the freshly opened 'Advanced Security Settings' window, click the 'Auditing' tab.
    6. Press the 'Add' button.
    7. Click the 'Select a principal' link.  This will open a 'Select User or Group' window.  Enter 'Everyone' in the field on the bottom and press the 'Check Names' button.  This will alter the display and 'Everyone' will be underlined.
    8. Press 'OK' to apply the assignment.  This will return you to the prior screen but it will be changed
    9. Click to apply the 'Modify' permission.  This will also cause the 'Write' box to become selected.  This is expected.

    10. Click 'OK'.  This will return you to the prior screen which will be changed.
    11. Press 'OK'
    12. Close the File Properties screen.
    13. Congratulations!  You have just enabled file auditing on the first bait file.  Any changes or attempted changes to this file will result in an audit log, shown in the Security folder in Event Viewer.
    14. Repeat steps 2 - 12 for the other three bait files.
    15. Microsoft has a command line tool for this: subinacl.exe which can be found here:  http://www.microsoft.com/en-us/download/details.aspx?id=23510


TrackingWith auditing in place, the next time the monitor alerts you of a change, you will be able to directly see the process which made the attempt and the user account associated with that process (along with a lot of other potentially useful information).  All this information is stored in the computer's Security Logs.


Use this graph of Event ID's to track the changes reported by Third Wall:

 

Event IDNameDescriptionData It Provides
4656A handle to an object was requestedLogs the start of every file activity but does not guarantee that it succeededThe name of the file
4663An attempt was made to access an objectLogs the specific micro operations performed as part of the activityWhat exactly was done
4660An object was deletedLogs a delete operationThe only way to verify an activity is actually a delete
4658The handle to an object was closedLogs the end of a file activityHow much time it took