From 66d81cb0636c23db08e552ab05631d77c4324bd6 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 2 Sep 2020 17:58:00 -0400 Subject: [PATCH 1/3] added misc pages related to ransomware techniques --- Defense evasion/alt-data-streams.md | 56 ++++++++++++++++++ Defense evasion/clear-system-logs.md | 51 ++++++++++++++++ .../deleting-data-w-cipher-tool.md | 56 ++++++++++++++++++ Impact/backup-deletion.md | 50 ++++++++++++++++ Impact/turn-off-system-restore.md | 58 +++++++++++++++++++ 5 files changed, 271 insertions(+) create mode 100644 Defense evasion/alt-data-streams.md create mode 100644 Defense evasion/clear-system-logs.md create mode 100644 Defense evasion/deleting-data-w-cipher-tool.md create mode 100644 Impact/backup-deletion.md create mode 100644 Impact/turn-off-system-restore.md diff --git a/Defense evasion/alt-data-streams.md b/Defense evasion/alt-data-streams.md new file mode 100644 index 00000000..a685d1b3 --- /dev/null +++ b/Defense evasion/alt-data-streams.md @@ -0,0 +1,56 @@ +# Detect use of Alternate Data Streams + +This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/). + +In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques. + +The following query detects suspicious use of [Alternate Data Streams](https://docs.microsoft.com/sysinternals/downloads/streams) (ADS), which may indicate an attempt to mask malicious activity. These campaigns have been known to deploy ransomware in-memory and exploit ADS. + +The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns. + +## Query + +```Kusto +// Alternate Data Streams execution +DeviceProcessEvents +| where Timestamp > ago(7d) +// Command lines used +| where ProcessCommandLine startswith "-q -s" and ProcessCommandLine hasprefix "-p" +// Removing IDE processes +and not(FolderPath has_any("visual studio", "ide")) +| summarize make_set(ProcessCommandLine), make_set(FolderPath), +make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 1h) +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | v | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +[Return backup files deletion events](../Impact/backup-deletion.md) +[Detect attempts to turn off System Restore](./turn-off-system-restore.md) +[Detect cipher.exe deleting data](./deleting-data-w-cipher-tool.md) +[Detect clearing of system logs](./clear-system-logs.md) + +## Contributor info + +**Contributor:** Microsoft Threat Protection team \ No newline at end of file diff --git a/Defense evasion/clear-system-logs.md b/Defense evasion/clear-system-logs.md new file mode 100644 index 00000000..c216acc7 --- /dev/null +++ b/Defense evasion/clear-system-logs.md @@ -0,0 +1,51 @@ +# Detect clearing of system logs + +This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/). + +In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques. + +The following query detects attempts to use *fsutil.exe* to clear system logs and delete forensic artifacts. + +The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns. + +## Query + +```Kusto +DeviceProcessEvents +| where Timestamp > ago(7d) +| where FileName =~ "fsutil.exe" +and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal" +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | v | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +[Return backup files deletion events](../Impact/backup-deletion.md) +[Detect use of Alternate Data Streams](./alt-data-streams.md) +[Detect attempts to turn off System Restore](./turn-off-system-restore.md) +[Detect cipher.exe deleting data](./deleting-data-w-cipher-tool.md) + +## Contributor info + +**Contributor:** Microsoft Threat Protection team diff --git a/Defense evasion/deleting-data-w-cipher-tool.md b/Defense evasion/deleting-data-w-cipher-tool.md new file mode 100644 index 00000000..346bb044 --- /dev/null +++ b/Defense evasion/deleting-data-w-cipher-tool.md @@ -0,0 +1,56 @@ +# Detect cipher.exe deleting data + +This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/). + +In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques. + +The following query detects the use of the tool *cipher.exe* to delete indicators of malicious activity right before encrypting a drive. + +The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns. + +## Query + +```Kusto +​DeviceProcessEvents +| where Timestamp > ago(7d) +| where FileName =~ "cipher.exe" +// Looking for /w flag for deleting +| where ProcessCommandLine has "/w" +| summarize CommandCount = dcount(ProcessCommandLine), +make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m) +// Looking for multiple drives in a short timeframe +| where CommandCount > 1 +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | v | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +[Return backup files deletion events](../Impact/backup-deletion.md) +[Detect use of Alternate Data Streams](./alt-data-streams.md) +[Detect attempts to turn off System Restore](./turn-off-system-restore.md) +[Detect clearing of system logs](./clear-system-logs.md) + +## Contributor info + +**Contributor:** Microsoft Threat Protection team \ No newline at end of file diff --git a/Impact/backup-deletion.md b/Impact/backup-deletion.md new file mode 100644 index 00000000..d3f54125 --- /dev/null +++ b/Impact/backup-deletion.md @@ -0,0 +1,50 @@ +# Return backup files deletion events + +This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/). + +In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques. + +The following query returns alerts raised when backup files were deleted. + +The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns. + +## Query + +```Kusto +​DeviceAlertEvents +| where Timestamp > ago(7d) +| where Title == "File backups were deleted" +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | v | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | v | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +[Detect use of Alternate Data Streams](../Defense%20evasion/alt-data-streams.md) +[Detect attempts to turn off System Restore](../Defense%20evasion/turn-off-system-restore.md) +[Detect cipher.exe deleting data](../Defense%20evasion/deleting-data-w-cipher-tool.md) +[Detect clearing of system logs](../Defense%20evasion/clear-system-logs.md) + +## Contributor info + +**Contributor:** Microsoft Threat Protection team \ No newline at end of file diff --git a/Impact/turn-off-system-restore.md b/Impact/turn-off-system-restore.md new file mode 100644 index 00000000..17cba7a4 --- /dev/null +++ b/Impact/turn-off-system-restore.md @@ -0,0 +1,58 @@ +# Detect attempts to turn off System Restore + +This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/). + +In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques. + +The following query detects attempts to stop System Restore, which would prevent the user from recovering data by going back to a restore point. + +The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns. + +## Query + +```Kusto +​DeviceProcessEvents +| where Timestamp > ago(7d) +//Pivoting for rundll32 +and InitiatingProcessFileName =~ 'rundll32.exe' +//Looking for empty command line +and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != "" +//Looking for schtasks.exe as the created process +and FileName in~ ('schtasks.exe') +//Disabling system restore +and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore' +and ProcessCommandLine has 'disable' +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | v | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | v | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +[Return backup files deletion events](./backup-deletion.md) +[Detect use of Alternate Data Streams](../Defense%20evasion/alt-data-streams.md) +[Detect cipher.exe deleting data](../Defense%20evasion/deleting-data-w-cipher-tool.md) +[Detect clearing of system logs](../Defense%20evasion/clear-system-logs.md) + +## Contributor info + +**Contributor:** Microsoft Threat Protection team \ No newline at end of file From 616bbcc7d3b8ec7254d6fadc7f4b070416b1279a Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 14 Oct 2020 15:59:15 -0400 Subject: [PATCH 2/3] Update backup-deletion.md "In Impact/backup-deletion.md can you please change the table to be AlertsInfo, the MTP table? The MDATP table is going to be deprecated." --- Impact/backup-deletion.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Impact/backup-deletion.md b/Impact/backup-deletion.md index d3f54125..8d2fb5d4 100644 --- a/Impact/backup-deletion.md +++ b/Impact/backup-deletion.md @@ -11,7 +11,7 @@ The [See also](#see=also) section below lists more queries related to techniques ## Query ```Kusto -​DeviceAlertEvents +AlertsInfo | where Timestamp > ago(7d) | where Title == "File backups were deleted" ``` @@ -47,4 +47,4 @@ This query can be used to detect the following attack techniques and tactics ([s ## Contributor info -**Contributor:** Microsoft Threat Protection team \ No newline at end of file +**Contributor:** Microsoft Threat Protection team From 16a8217ca35c662eebc986f1a36cfae04d508905 Mon Sep 17 00:00:00 2001 From: tali-ash <63594865+tali-ash@users.noreply.github.com> Date: Mon, 2 Nov 2020 20:24:36 +0200 Subject: [PATCH 3/3] Update backup-deletion.md AlertsInfo - remove s to AlertInfo --- Impact/backup-deletion.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Impact/backup-deletion.md b/Impact/backup-deletion.md index 8d2fb5d4..2e87f9c8 100644 --- a/Impact/backup-deletion.md +++ b/Impact/backup-deletion.md @@ -11,7 +11,7 @@ The [See also](#see=also) section below lists more queries related to techniques ## Query ```Kusto -AlertsInfo +AlertInfo | where Timestamp > ago(7d) | where Title == "File backups were deleted" ```