diff --git a/Credential Access/doppelpaymer-procdump.md b/Credential Access/doppelpaymer-procdump.md new file mode 100644 index 00000000..c31f099d --- /dev/null +++ b/Credential Access/doppelpaymer-procdump.md @@ -0,0 +1,54 @@ +# Detect DoppelPaymer operators dumping credentials with ProcDump + +This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/). + +[DoppelPaymer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372) is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) to dump credentials from [LSASS](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection). They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization. + +The following query detects ProcDump being used to dump credentials from LSASS. + +The [See also](#See-also) section below lists links to other queries associated with DoppelPaymer. + +## Query + +```Kusto +// Dumping of LSASS memory using procdump +DeviceProcessEvents +| where Timestamp > ago(7d) +// Command lines that include "lsass" and -accepteula or -ma flags used in procdump +| where (ProcessCommandLine has "lsass" and (ProcessCommandLine has "-accepteula" or +ProcessCommandLine contains "-ma")) +// Omits possible FPs where the full command is just "procdump.exe lsass" +or (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass') +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | | | +| Credential Access | v | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +* [Detect DoppelPaymer performing reconnaissance with net.exe](../Discovery/doppelpaymer.md) +* [Detect DoppelPaymer operators spreading files with PsExec](../Lateral%20Movement/doppelpaymer-psexec.md) +* [Detect DoppelPaymer operators stopping services](../Defense%20evasion/doppelpaymer-stop-services.md) + +## Contributor info + +**Contributor:** Microsoft Threat Protection team diff --git a/Defense evasion/doppelpaymer-stop-services.md b/Defense evasion/doppelpaymer-stop-services.md new file mode 100644 index 00000000..ac3cbba8 --- /dev/null +++ b/Defense evasion/doppelpaymer-stop-services.md @@ -0,0 +1,52 @@ +# Detect DoppelPaymer operators stopping services + +This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/). + +[DoppelPaymer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372) is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization. + +The following query detects attempts to stop security services. + +The [See also](#See-also) section below lists links to other queries associated with DoppelPaymer. + +## Query + +```Kusto +// Attempts to stop services and allow ransomware execution +DeviceProcessEvents +| where Timestamp > ago(7d) +| where InitiatingProcessFileName startswith "psexe" and FileName =~ "powershell.exe" and +ProcessCommandLine has "stop-service" +and ProcessCommandLine has "sql" and ProcessCommandLine has "msexchange" +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | v | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | v | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +* [Detect DoppelPaymer performing reconnaissance with net.exe](../Discovery/doppelpaymer.md) +* [Detect DoppelPaymer operators spreading files with PsExec](../Lateral%20Movement/doppelpaymer-psexec.md) +* [Detect DoppelPaymer operators dumping credentials with ProcDump](../Credential%20Access/doppelpaymer-procdump.md) + +## Contributor info + +**Contributor:** Microsoft Threat Protection team diff --git a/Discovery/doppelpaymer.md b/Discovery/doppelpaymer.md new file mode 100644 index 00000000..4d060b8e --- /dev/null +++ b/Discovery/doppelpaymer.md @@ -0,0 +1,56 @@ +# Detect DoppelPaymer performing reconnaissance with net.exe + +This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/). + +[DoppelPaymer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372) is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they may use *net.exe* to run reconnaissance and find service accounts to target. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization. + +The following query detects the *net.exe* reconnaissance method described above. + +The [See also](#See-also) section below lists links to other queries associated with DoppelPaymer. + +## Query + +```Kusto +// Finds Net commands used to locate high-value accounts +DeviceProcessEvents +| where Timestamp > ago(7d) +| where FileName == "net.exe" +// Create a set for the command lines +| summarize makeset(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m) +// Other process launches by Net in that same timeframe +| where (set_ProcessCommandLine has "admin" +and set_ProcessCommandLine has_any("domain", "enterprise", "backup operators")) +and set_ProcessCommandLine has "group" and set_ProcessCommandLine contains "/do" +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | | | +| Credential Access | | | +| Discovery | v | | +| Lateral movement | v | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +* [Detect DoppelPaymer operators spreading files with PsExec](../Lateral%20Movement/doppelpaymer-psexec.md) +* [Detect DoppelPaymer operators stopping services](../Defense%20evasion/doppelpaymer-stop-services.md) +* [Detect DoppelPaymer operators dumping credentials with ProcDump](../Credential%20Access/doppelpaymer-procdump.md) + +## Contributor info + +**Contributor:** Microsoft Threat Protection team diff --git a/Lateral Movement/doppelpaymer-psexec.md b/Lateral Movement/doppelpaymer-psexec.md new file mode 100644 index 00000000..f5743bb9 --- /dev/null +++ b/Lateral Movement/doppelpaymer-psexec.md @@ -0,0 +1,54 @@ +# Detect DoppelPaymer operators spreading files with PsExec + +This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/). + +[DoppelPaymer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372) is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization. More specifically, they use common remote execution tools, such as [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec), to move laterally and distribute ransomware. + +The following query detects suspicious usage of PsExec to create files on a remote device. + +The [See also](#See-also) section below lists links to other queries associated with DoppelPaymer. + +## Query + +```Kusto +// PsExec creating files on remote machines +DeviceProcessEvents +| where Timestamp > ago(7d) +| where InitiatingProcessFileName startswith "psexe" +| summarize CommandCount = dcount(ProcessCommandLine), makeset(ProcessCommandLine), +makeset(FileName) by DeviceId, bin(Timestamp, 1d) +| where CommandCount > 2 +| where set_ProcessCommandLine has "copy" +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | v | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +* [Detect DoppelPaymer performing reconnaissance with net.exe](../Discovery/doppelpaymer.md) +* [Detect DoppelPaymer operators stopping services](../Defense%20evasion/doppelpaymer-stop-services.md) +* [Detect DoppelPaymer operators dumping credentials with ProcDump](../Credential%20Access/doppelpaymer-procdump.md) + +## Contributor info + +**Contributor:** Microsoft Threat Protection team