Merge pull request #233 from martyav/doppelpaymer

files related to doppelpaymer

Author: tali-ash

Credential Access/doppelpaymer-procdump.md

@@ -0,0 +1,54 @@
+# Detect DoppelPaymer operators dumping credentials with ProcDump
+
+This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/).
+
+[DoppelPaymer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372) is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) to dump credentials from [LSASS](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection). They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization.
+
+The following query detects ProcDump being used to dump credentials from LSASS.
+
+The [See also](#See-also) section below lists links to other queries associated with DoppelPaymer.
+
+## Query
+
+```Kusto
+// Dumping of LSASS memory using procdump
+DeviceProcessEvents
+| where Timestamp > ago(7d)
+// Command lines that include "lsass" and -accepteula or -ma flags used in procdump
+| where (ProcessCommandLine has "lsass" and (ProcessCommandLine has "-accepteula" or
+ProcessCommandLine contains "-ma"))
+// Omits possible FPs where the full command is just "procdump.exe lsass" 
+or (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass')
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access | v |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Detect DoppelPaymer performing reconnaissance with net.exe](../Discovery/doppelpaymer.md)
+* [Detect DoppelPaymer operators spreading files with PsExec](../Lateral%20Movement/doppelpaymer-psexec.md)
+* [Detect DoppelPaymer operators stopping services](../Defense%20evasion/doppelpaymer-stop-services.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team

Defense evasion/doppelpaymer-stop-services.md

@@ -0,0 +1,52 @@
+# Detect DoppelPaymer operators stopping services
+
+This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/).
+
+[DoppelPaymer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372) is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization.
+
+The following query detects attempts to stop security services.
+
+The [See also](#See-also) section below lists links to other queries associated with DoppelPaymer.
+
+## Query
+
+```Kusto
+// Attempts to stop services and allow ransomware execution
+DeviceProcessEvents
+| where Timestamp > ago(7d)
+| where InitiatingProcessFileName startswith "psexe" and FileName =~ "powershell.exe" and 
+ProcessCommandLine has "stop-service"
+and ProcessCommandLine has "sql" and ProcessCommandLine has "msexchange"
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution | v |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion | v |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Detect DoppelPaymer performing reconnaissance with net.exe](../Discovery/doppelpaymer.md)
+* [Detect DoppelPaymer operators spreading files with PsExec](../Lateral%20Movement/doppelpaymer-psexec.md)
+* [Detect DoppelPaymer operators dumping credentials with ProcDump](../Credential%20Access/doppelpaymer-procdump.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team

Discovery/doppelpaymer.md

@@ -0,0 +1,56 @@
+# Detect DoppelPaymer performing reconnaissance with net.exe
+
+This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/).
+
+[DoppelPaymer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372) is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they may use *net.exe* to run reconnaissance and find service accounts to target. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization.
+
+The following query detects the *net.exe* reconnaissance method described above.
+
+The [See also](#See-also) section below lists links to other queries associated with DoppelPaymer.
+
+## Query
+
+```Kusto
+// Finds Net commands used to locate high-value accounts
+DeviceProcessEvents
+| where Timestamp > ago(7d)
+| where  FileName == "net.exe"
+// Create a set for the command lines
+| summarize makeset(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
+// Other process launches by Net in that same timeframe
+| where (set_ProcessCommandLine has "admin" 
+and set_ProcessCommandLine has_any("domain", "enterprise", "backup operators"))
+and set_ProcessCommandLine has "group" and set_ProcessCommandLine contains "/do"
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery | v |  |
+| Lateral movement | v |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Detect DoppelPaymer operators spreading files with PsExec](../Lateral%20Movement/doppelpaymer-psexec.md)
+* [Detect DoppelPaymer operators stopping services](../Defense%20evasion/doppelpaymer-stop-services.md)
+* [Detect DoppelPaymer operators dumping credentials with ProcDump](../Credential%20Access/doppelpaymer-procdump.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team

Lateral Movement/doppelpaymer-psexec.md

@@ -0,0 +1,54 @@
+# Detect DoppelPaymer operators spreading files with PsExec
+
+This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/).
+
+[DoppelPaymer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372) is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization. More specifically, they use common remote execution tools, such as [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec), to move laterally and distribute ransomware.
+
+The following query detects suspicious usage of PsExec to create files on a remote device.
+
+The [See also](#See-also) section below lists links to other queries associated with DoppelPaymer.
+
+## Query
+
+```Kusto
+// PsExec creating files on remote machines
+DeviceProcessEvents
+| where Timestamp > ago(7d)
+| where InitiatingProcessFileName startswith "psexe"
+| summarize CommandCount = dcount(ProcessCommandLine), makeset(ProcessCommandLine),
+makeset(FileName) by DeviceId, bin(Timestamp, 1d)
+| where CommandCount > 2
+| where set_ProcessCommandLine has "copy"
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement | v |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Detect DoppelPaymer performing reconnaissance with net.exe](../Discovery/doppelpaymer.md)
+* [Detect DoppelPaymer operators stopping services](../Defense%20evasion/doppelpaymer-stop-services.md)
+* [Detect DoppelPaymer operators dumping credentials with ProcDump](../Credential%20Access/doppelpaymer-procdump.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team