A further update... I happened upon some further Cryptolocker (4) info { Cisco Talos Blog: Threat Spotlight: CryptoWall 4 - The Evolution Continues } and decided to add a bit more to my monitoring. One extra thing I am now looking for is FileAttributeChange.FileName == *\HELP_YOUR_FILES.* and FileCreate.FileName == *\HELP_YOUR_FILES.* Note that if you want to add this to your monitoring and you have it set up as I have documented above you'll need to change the rules and the FIM conditions.
I've also had mine going for a while and have not seen any false positives (no instances other than the tests I have done), so I now decided that I want to implement automatic account lockouts if this rule happens to be triggered. In the Cryptolocker rule I created, I added an Action > Disable Domain User Account. This presents a couple of problems. The rule detects FileCreate and FileAttributeChange events, so in order to act on either, I'd need to possibly create two actions with the 'Destination Account' matching FileCreate.SourceAccount and FileAttributeChange.SourceAccount. The main issue, and I'm wondering if anyone can help me figure out, is how to properly define the 'Domain Controller Agent'. This field does not accept things like Connector Profiles or User Defined Groups. I have been able to assign it a Constant>Text to attempt to statically assign one of the DCs (which have the Agent installed and the Active Response Connector configured), but this hasn't worked for any tests I've thrown at it. That leads me to believe I'm not assigning it correctly. I haven't found any documentation on how to properly assign this, only that it can be done. Anyone got any ideas?