Sysmon and Ransomware Detection for ICS/OT

How Ransomware Attacks Work

Ransomware attacks follow a predictable progression. Understanding each stage helps explain which Sysmon Event IDs provide detection at each point.

What ICS Watch Dog Configs Detect

All ICS Watch Dog configurations include ransomware detection indicators. The following sections describe each detection category with the specific Sysmon Event IDs and rule patterns used.

Recovery Inhibition (Event ID 1: ProcessCreate)

Nearly all ransomware families delete shadow copies and disable recovery before encrypting files. ICS Watch Dog configs detect these commands via ProcessCreate include rules with named RuleNames for SIEM alerting:

• vssadmin.exe delete shadows /all /quiet -- Shadow copy deletion
• wmic shadowcopy delete -- Shadow copy deletion via WMI
• bcdedit /set recoveryenabled no -- Windows recovery disabled
• bcdedit /set safeboot -- Safe mode boot (Black Basta technique)
• wbadmin delete catalog -- Windows backup catalog deletion
• bcdedit /set bootstatuspolicy ignoreallfailures -- Boot status policy changed

MITRE ATT&CK: T1490 - Inhibit System Recovery

Ransomware families: WannaCry, Ryuk, Conti, LockBit, REvil, BlackCat/ALPHV, EKANS, Black Basta, Akira

Security Tool Disablement (Event ID 1 + Events 12-14)

Ransomware disables Windows Defender and other security tools before encrypting. Detected via ProcessCreate command line patterns and registry changes:

• Set-MpPreference -DisableRealtimeMonitoring $true -- Defender realtime disabled
• Set-MpPreference -ExclusionPath -- Defender exclusions added (e.g., exclude entire drive)
• Registry: \Policies\Microsoft\Windows Defender -- Group Policy-based Defender disablement
• Registry: \Control\SafeBoot -- Safe mode persistence (ensures ransomware service runs in safe mode where security tools do not load)
• Registry: \SecurityProviders\WDigest -- Plaintext credential caching enabled
• Registry: \Autologger\EventLog-Microsoft-Windows-Sysmon -- Sysmon logging tampered with

MITRE ATT&CK: T1562.001 - Disable or Modify Tools

Credential Dumping (Event ID 10: ProcessAccess)

Virtually all human-operated ransomware campaigns dump credentials from LSASS to obtain domain admin access for lateral movement. All ICS Watch Dog configs monitor for any non-system process accessing lsass.exe:

• Mimikatz accessing lsass.exe memory
• Impacket secretsdump
• rundll32.exe comsvcs.dll, MiniDump -- LSASS memory dump via built-in DLL

MITRE ATT&CK: T1003 - OS Credential Dumping

Process Injection and Tampering (Event IDs 8, 25)

Ransomware injects code into legitimate processes to evade detection and encrypt from trusted contexts:

• Event ID 8 (CreateRemoteThread) -- Detects code injection via remote thread creation. Ryuk, REvil, and BlackByte use this technique.
• Event ID 25 (ProcessTampering) -- Detects process hollowing and herpaderping. BlackByte 2.0 hollows svchost.exe before encrypting. Legitimate software does not use these techniques, making this a high-fidelity indicator.

MITRE ATT&CK: T1055 - Process Injection

C2 Named Pipes (Event IDs 17-18: PipeEvent)

Ransomware operators typically use C2 frameworks like Cobalt Strike to manage compromised networks before deploying ransomware. ICS Watch Dog configs include named pipe detection rules for known C2 indicators:

• Cobalt Strike: \MSSE-*-server, \postex_*, \status_*, \msagent_*
• Lateral movement: \PSEXESVC (PsExec), \paexec, \remcom, \csexec
• Credential tools: \lsadump, \cachedump, \wceservicepipe

MITRE ATT&CK: T1021 - Remote Services

Ransom Note Detection (Event ID 11: FileCreate)

OT configurations and the Jump Host config include FileCreate rules that detect common ransom note filename patterns. On an OT system, files with names containing DECRYPT, RANSOM, or RECOVER are highly suspicious:

• Files containing "DECRYPT" in the filename
• Files containing "RANSOM" in the filename
• Files containing "RECOVER" in the filename
• Decrypt-Your-Files.txt -- EKANS ransomware specific

Note: These rules are included in OT configs and the Jump Host config but not IT baseline configs, where filenames containing these terms are more common in normal business use.

MITRE ATT&CK: T1486 - Data Encrypted for Impact

Backup and Database File Deletion (Event ID 26: FileDeleteDetected)

Ransomware deletes backup files and database data files to prevent recovery. All ICS Watch Dog configs monitor deletion of:

• .bak -- Database backup files
• .vhd / .vhdx -- Virtual hard disk files
• .mdf / .ldf -- SQL Server data and log files

These deletions, combined with shadow copy deletion commands, are a strong indicator of ransomware activity in progress.

BYOVD: Vulnerable Driver Loading (Event ID 6: DriverLoad)

Modern ransomware groups load vulnerable legitimate drivers to disable EDR and antivirus at the kernel level (Bring Your Own Vulnerable Driver). All ICS Watch Dog configs log non-Microsoft driver loads. Notable vulnerable drivers used in ransomware attacks:

• RTCore64.sys (MSI) -- used by BlackByte
• DBUtil_2_3.sys (Dell) -- CVE-2021-21551
• mhyprot2.sys (Genshin Impact anti-cheat) -- used by multiple ransomware actors
• ProcExp.sys (Process Explorer) -- legitimate tool abused for AV kill

Cross-reference driver hashes against the LOLDrivers database for known vulnerable drivers.

MITRE ATT&CK: T1562.001 - Disable or Modify Tools

Executable File Detection (Event IDs 27, 29 -- Advanced OT and Jump Host)

Configs using schema 4.90 (Advanced OT and Jump Host) include additional detection capabilities:

• Event ID 27 (FileBlockExecutable) -- Detects (and can block) executable creation in OT vendor directories, Startup folders, and other protected locations. This is one of Sysmon's few preventive capabilities. CISA specifically recommends this feature for ransomware mitigation.
• Event ID 29 (FileExecutableDetected) -- Detects any new PE (executable) file written to disk, regardless of file extension. Catches ransomware executables disguised as .txt, .jpg, or other non-executable extensions.

ICS-Specific Ransomware

Several ransomware families have specifically targeted ICS/OT environments. The techniques used in these attacks inform the detection rules in ICS Watch Dog configurations.

EKANS / Snake

EKANS is the most ICS-specific ransomware to date. Unlike generic ransomware, EKANS contains a hard-coded kill list of ICS processes including GE Proficy and Honeywell HMIWeb. Before encrypting, it:

• Performs DNS resolution of the target organization's internal domain to verify it is on the correct victim network
• Terminates ICS processes and database/backup services (MSSQL, Veeam, Arcserve)
• Deletes shadow copies via WMI
• Drops Decrypt-Your-Files.txt as its ransom note

Sysmon detection: Event ID 1 (process termination commands, shadow copy deletion), Event ID 22 (internal domain DNS resolution), Event ID 11 (ransom note creation)

MITRE ATT&CK: S0605 - EKANS

LockerGoga (Norsk Hydro, 2019)

LockerGoga was deployed via Active Directory Group Policy, forcing password changes to lock out users and encrypting files with a .locked extension. This attack demonstrated how ransomware can leverage AD infrastructure for deployment -- a reason why monitoring domain controllers with the Server AD/DC config is critical.

Colonial Pipeline (DarkSide, 2021)

The Colonial Pipeline attack targeted the IT network, but the loss of billing and monitoring capability forced OT operations to shut down. This demonstrates that IT-side ransomware can have OT impact even without directly touching OT systems -- and why IT baseline monitoring matters for ICS/OT organizations.

What Makes ICS Ransomware Different

• Process kill lists -- Termination of HMI, SCADA, historian, and PLC programming software before encryption
• Target validation -- DNS resolution of internal domains to confirm OT network presence
• Safety implications -- Encrypting or crashing safety systems can have physical consequences beyond data loss
• Recovery complexity -- OT systems may require vendor involvement to restore, and downtime can affect production

What Sysmon Cannot Detect

Sysmon is a powerful telemetry tool, but it has limitations. Being honest about these limitations helps organizations build appropriate defense in depth.

• In-memory-only ransomware -- Fileless ransomware that never writes an executable to disk evades FileCreate and FileExecutableDetected. However, it is still detectable through ProcessCreate (scripting interpreter), CreateRemoteThread (injection), and ProcessTampering (hollowing).
• Kernel-level attacks after BYOVD -- Once an attacker loads a vulnerable driver and gains kernel access, they can disable Sysmon entirely by unloading its driver or zeroing its event log.
• Network protocol content -- Sysmon logs process-to-port connections but cannot inspect packet payloads. It cannot detect ICS protocol manipulation (Modbus command injection, S7comm abuse).
• Encrypted C2 traffic -- Sysmon logs the connection (IP, port, process) but not the encrypted payload.
• Safe mode attacks -- If ransomware forces a safe mode boot and disables Sysmon before reboot, Sysmon may not be running during encryption. Registry monitoring for SafeBoot key changes detects the setup, but not the execution.
• Evasion techniques -- Direct syscalls bypassing user-mode hooks, DLL unhooking, and event log clearing can reduce Sysmon's effectiveness.

Config Coverage by Tier

The following table shows which ransomware detection capabilities are available in each ICS Watch Dog configuration tier.

Defense in Depth

Sysmon alone is not sufficient to protect against ransomware. It provides critical detection telemetry, but effective ransomware defense requires multiple layers:

Complementary Controls

• EDR/Antivirus -- Real-time prevention and response. Sysmon provides forensic depth; EDR provides blocking capability.
• Application whitelisting -- AppLocker or Windows Defender Application Control (WDAC). Particularly important for OT systems with predictable software profiles.
• Windows Security Event Logs -- Sysmon cannot detect DCSync, Golden Ticket, Kerberoasting, or account creation. Windows Event IDs 4662, 4769, 4720, 4738 are required for these. See the Server AD/DC config header for complementary audit requirements.
• Network monitoring -- IDS/IPS and protocol-aware tools for ICS environments (Zeek, Claroty, Nozomi, Dragos). Sysmon monitors which process connects to which port, not protocol payloads.
• Backup solutions -- Offline, tested, ransomware-resistant backups. Sysmon detects backup deletion, but prevention requires proper backup architecture.
• Network segmentation -- IT/OT boundary enforcement. Sysmon detects boundary violations but cannot enforce them.
• Privileged access management -- Limiting domain admin credentials reduces the blast radius of credential dumping.

Sysmon's Role in OT

In OT environments, Sysmon's detection-only approach (Events 1-26) is well-suited because automated response is dangerous. Isolating an HMI or engineering workstation mid-operation could cause process safety issues. Sysmon informs human operators without interfering with operations, enabling informed manual response decisions.

Event IDs 27-28 (blocking) in the Advanced OT config should be used cautiously -- block only in directories where executables should never appear, not in active software directories during maintenance windows.

MITRE ATT&CK Reference

Key MITRE ATT&CK techniques relevant to ransomware, mapped to Sysmon Event IDs:

References

• CISA #StopRansomware Guide
• MITRE ATT&CK T1486 - Data Encrypted for Impact
• MITRE ATT&CK S0605 - EKANS Ransomware
• LOLDrivers - Living Off The Land Drivers
• Dragos OT Cybersecurity Year in Review
• Microsoft Sysmon Documentation
• SigmaHQ - Community Detection Rules
• SANS ICS 5 Critical Controls