name: AN-DET-06 Mass-encryption file-system anomaly
details: |
  Detects ransomware-style mass file modification on launch-control file systems (SVC:CP:Control
  Plane:10) and patch binary stores (AST:DA:Data:02). Flags high-rate write-and-rename with entropy
  shift, ransom-note artifacts, and abnormal write fan-out from a single process. Implements
  AN-DET:06.
author: ethicallyHackingSpace
severity: critical
type: query
class: ransomware
status: stable
date: 2026-06-07
mitre-attack:
  - T1486
references:
  - https://www.cisa.gov/stopransomware
  - https://attack.mitre.org/techniques/T1486/
tags:
  - meteorstorm.an-det.06
  - meteorstorm.tdm.svc-cp-control-plane-10
  - meteorstorm.tdm.ast-da-data-02
  - attack.impact
logsource:
  product: file_integrity_monitoring
  category: file_event
detection:
  selection_target_path:
    file_path|startswith:
      - "/var/launch/"
      - "/srv/patches/"
      - "D:\\Launch\\"
  selection_mass_write:
    files_modified_per_second_per_process: ">=20"
  selection_entropy_shift:
    entropy_delta: ">=2.5"
  selection_extension_anomaly:
    file_extension|contains_new:
      - ".locked"
      - ".enc"
      - ".rsa"
      - ".crypto"
  selection_ransom_note:
    file_name|contains:
      - "READ_ME"
      - "DECRYPT_INSTRUCTIONS"
      - "HOW_TO_RESTORE"
  condition: selection_target_path and (selection_mass_write or selection_entropy_shift or selection_extension_anomaly or selection_ransom_note)
falsepositives:
  - Authorized full-disk archive operation (requires change-control reference)
