added misc pages related to ransomware techniques

[martyav]

Part of a series of pull requests, placing queries from the TA reports in the repo.

Some of the column names may be outdated, as some of the reports are quite old.

Others in the series:
#145, #155, #163, #165,
#168, #169, #170, #172,
#173 , #174, #175, #177,
#178, #182, #183, #190,
#191, #192, #195, #196
#198, #202, #203, #204
#205, #206, #207, #208
#209, #214, #215, #218
#229, #230

[tali-ash]

In Impact/backup-deletion.md can you please change the table to be AlertsInfo, the MTP table? The MDATP table is going to be deprecated.

[martyav]

@tali-ash I recently pushed a commit addressing your suggestion.

[tali-ash]

In the query of # Detect attempts to turn off System Restore

what is the intent of the following?
and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != ""

to check those fields are not empty?

[martyav]

@tali-ash

what is the intent of the following?
and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != ""

to check those fields are not empty?

I asked the researchers. They responded:

It’s a method of looking for an empty command line in the Rundll32.exe process – basically the command line is “rundll32.exe”. Which can often indicate Cobalt Strike if it’s spawning network connections or other LOLBINs (cmd, powershell, etc etc)

[tali-ash]

@martyav So will isnotempty() operator will work for it?