diff --git a/Ransomware/File Creation Statistical Analysis b/Ransomware/File Creation Statistical Analysis new file mode 100644 index 00000000..dc5b10e9 --- /dev/null +++ b/Ransomware/File Creation Statistical Analysis @@ -0,0 +1,45 @@ +# File Creation Statistical Analysis [Standard Deviation, Moving Average] +Ransomeware Note File Creation with ".txt" Extension +## Query +``` +let startTime = now(-7d); +let endTime = now(); +DeviceFileEvents +| where Timestamp between ( startTime .. endTime ) +| where isnotempty(FileName) +| where FileName endswith ".txt" and ActionType == "FileCreated" +| summarize FileCreatedByProcess = count() by InitiatingProcessFileName, Timestamp +| summarize stdevFileCreatedByProcess = stdev(FileCreatedByProcess*10) by bin(Timestamp, 1h) +| serialize +| extend movAvg = (stdevFileCreatedByProcess + prev(stdevFileCreatedByProcess,1,0) + prev(stdevFileCreatedByProcess,2,0))/3.0 +| project stdevFileCreatedByProcess, movAvg, Timestamp +| sort by Timestamp asc +| render timechart +``` +## Category +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|------------------------|----------|-------| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | Y | +| Vulnerability | | | +| Exploit | | | +| Misconfiguration | | | +| Malware, component | | Y | +| Ransomware | | Y | + + +## Contributor info +**Contributor:** AjatShatru +**GitHub alias:** A-dd-Y +**Contact info:** https://www.linkedin.com/in/ajatshatrux