Skip to content
This repository was archived by the owner on Nov 16, 2023. It is now read-only.

added misc pages related to ransomware techniques #231

Merged
merged 3 commits into from
Nov 11, 2020
Merged

added misc pages related to ransomware techniques #231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
66d81cb
added misc pages related to ransomware techniques
martyav Sep 2, 2020
616bbcc
Update backup-deletion.md
martyav Oct 14, 2020
16a8217
Update backup-deletion.md
tali-ash Nov 2, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions Defense evasion/alt-data-streams.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# Detect use of Alternate Data Streams

This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).

In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.

The following query detects suspicious use of [Alternate Data Streams](https://docs.microsoft.com/sysinternals/downloads/streams) (ADS), which may indicate an attempt to mask malicious activity. These campaigns have been known to deploy ransomware in-memory and exploit ADS.

The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns.

## Query

```Kusto
// Alternate Data Streams execution
DeviceProcessEvents
| where Timestamp > ago(7d)
// Command lines used
| where ProcessCommandLine startswith "-q -s" and ProcessCommandLine hasprefix "-p"
// Removing IDE processes
and not(FolderPath has_any("visual studio", "ide"))
| summarize make_set(ProcessCommandLine), make_set(FolderPath),
make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 1h)
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |

## See also

[Return backup files deletion events](../Impact/backup-deletion.md)
[Detect attempts to turn off System Restore](./turn-off-system-restore.md)
[Detect cipher.exe deleting data](./deleting-data-w-cipher-tool.md)
[Detect clearing of system logs](./clear-system-logs.md)

## Contributor info

**Contributor:** Microsoft Threat Protection team
51 changes: 51 additions & 0 deletions Defense evasion/clear-system-logs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Detect clearing of system logs

This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).

In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.

The following query detects attempts to use *fsutil.exe* to clear system logs and delete forensic artifacts.

The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns.

## Query

```Kusto
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "fsutil.exe"
and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal"
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |

## See also

[Return backup files deletion events](../Impact/backup-deletion.md)
[Detect use of Alternate Data Streams](./alt-data-streams.md)
[Detect attempts to turn off System Restore](./turn-off-system-restore.md)
[Detect cipher.exe deleting data](./deleting-data-w-cipher-tool.md)

## Contributor info

**Contributor:** Microsoft Threat Protection team
56 changes: 56 additions & 0 deletions Defense evasion/deleting-data-w-cipher-tool.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# Detect cipher.exe deleting data

This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).

In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.

The following query detects the use of the tool *cipher.exe* to delete indicators of malicious activity right before encrypting a drive.

The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns.

## Query

```Kusto
​DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "cipher.exe"
// Looking for /w flag for deleting
| where ProcessCommandLine has "/w"
| summarize CommandCount = dcount(ProcessCommandLine),
make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m)
// Looking for multiple drives in a short timeframe
| where CommandCount > 1
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |

## See also

[Return backup files deletion events](../Impact/backup-deletion.md)
[Detect use of Alternate Data Streams](./alt-data-streams.md)
[Detect attempts to turn off System Restore](./turn-off-system-restore.md)
[Detect clearing of system logs](./clear-system-logs.md)

## Contributor info

**Contributor:** Microsoft Threat Protection team
50 changes: 50 additions & 0 deletions Impact/backup-deletion.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Return backup files deletion events

This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).

In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.

The following query returns alerts raised when backup files were deleted.

The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns.

## Query

```Kusto
AlertInfo
| where Timestamp > ago(7d)
| where Title == "File backups were deleted"
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | v | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |

## See also

[Detect use of Alternate Data Streams](../Defense%20evasion/alt-data-streams.md)
[Detect attempts to turn off System Restore](../Defense%20evasion/turn-off-system-restore.md)
[Detect cipher.exe deleting data](../Defense%20evasion/deleting-data-w-cipher-tool.md)
[Detect clearing of system logs](../Defense%20evasion/clear-system-logs.md)

## Contributor info

**Contributor:** Microsoft Threat Protection team
58 changes: 58 additions & 0 deletions Impact/turn-off-system-restore.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Detect attempts to turn off System Restore

This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).

In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.

The following query detects attempts to stop System Restore, which would prevent the user from recovering data by going back to a restore point.

The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns.

## Query

```Kusto
​DeviceProcessEvents
| where Timestamp > ago(7d)
//Pivoting for rundll32
and InitiatingProcessFileName =~ 'rundll32.exe'
//Looking for empty command line
and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != ""
//Looking for schtasks.exe as the created process
and FileName in~ ('schtasks.exe')
//Disabling system restore
and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore'
and ProcessCommandLine has 'disable'
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | v | |
| Credential Access | | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | v | |
| Vulnerability | | |
| Misconfiguration | | |
| Malware, component | | |

## See also

[Return backup files deletion events](./backup-deletion.md)
[Detect use of Alternate Data Streams](../Defense%20evasion/alt-data-streams.md)
[Detect cipher.exe deleting data](../Defense%20evasion/deleting-data-w-cipher-tool.md)
[Detect clearing of system logs](../Defense%20evasion/clear-system-logs.md)

## Contributor info

**Contributor:** Microsoft Threat Protection team