Dev-0530 File Extension Rename
Id | d82eb796-d1eb-43c8-a813-325ce3417cef |
Rulename | Dev-0530 File Extension Rename |
Description | Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note. |
Severity | High |
Tactics | Impact |
Techniques | T1486 |
Required data connectors | MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml |
Version | 1.1.1 |
Arm template | d82eb796-d1eb-43c8-a813-325ce3417cef.json |
union isfuzzy=true
(DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".h0lyenc" or FolderPath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,
DeviceName,
Type,
InitiatingProcessId,
FileName,
FolderPath,
EventType = ActionType,
Commandline = InitiatingProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessSHA256,
FileHashCustomEntity = SHA256,
AlgorithmCustomEntity = "SHA256"
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
),
(imFileEvent
| where EventType == "FileCreated"
| where TargetFilePath endswith ".h0lyenc" or TargetFilePath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
ActorUsername,
DvcHostname,
DvcDomain,
DvcId,
Type,
EventType,
FileHashCustomEntity = TargetFileSHA256,
Hash,
TargetFilePath,
Commandline = ActingProcessCommandLine,
AlgorithmCustomEntity = "SHA256"
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = DvcHostname, HostNameDomain = DvcDomain
| extend DeviceName = strcat(DvcHostname, ".", DvcDomain )
)
relevantTechniques:
- T1486
queryPeriod: 1d
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
- DeviceFileEvents
connectorId: MicrosoftThreatProtection
triggerThreshold: 0
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: ActorUserName
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountDomain
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
entityType: Host
- fieldMappings:
- identifier: Algorithm
columnName: AlgorithmCustomEntity
- identifier: Value
columnName: FileHashCustomEntity
entityType: FileHash
name: Dev-0530 File Extension Rename
tags:
- Dev-0530
- Schema: ASIMFileEvent
SchemaVersion: 0.1.0
query: |
union isfuzzy=true
(DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".h0lyenc" or FolderPath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,
DeviceName,
Type,
InitiatingProcessId,
FileName,
FolderPath,
EventType = ActionType,
Commandline = InitiatingProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessSHA256,
FileHashCustomEntity = SHA256,
AlgorithmCustomEntity = "SHA256"
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
),
(imFileEvent
| where EventType == "FileCreated"
| where TargetFilePath endswith ".h0lyenc" or TargetFilePath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
ActorUsername,
DvcHostname,
DvcDomain,
DvcId,
Type,
EventType,
FileHashCustomEntity = TargetFileSHA256,
Hash,
TargetFilePath,
Commandline = ActingProcessCommandLine,
AlgorithmCustomEntity = "SHA256"
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = DvcHostname, HostNameDomain = DvcDomain
| extend DeviceName = strcat(DvcHostname, ".", DvcDomain )
)
queryFrequency: 1d
id: d82eb796-d1eb-43c8-a813-325ce3417cef
severity: High
description: |
'Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.'
metadata:
source:
kind: Community
categories:
domains:
- Security - Others
support:
tier: Community
author:
name: Microsoft Security Research
version: 1.1.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml
kind: Scheduled
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d82eb796-d1eb-43c8-a813-325ce3417cef')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d82eb796-d1eb-43c8-a813-325ce3417cef')]",
"properties": {
"alertRuleTemplateName": "d82eb796-d1eb-43c8-a813-325ce3417cef",
"customDetails": null,
"description": "'Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.'\n",
"displayName": "Dev-0530 File Extension Rename",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ActorUserName",
"identifier": "FullName"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "HostNameDomain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "AlgorithmCustomEntity",
"identifier": "Algorithm"
},
{
"columnName": "FileHashCustomEntity",
"identifier": "Value"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml",
"query": "union isfuzzy=true\n (DeviceFileEvents\n | where ActionType == \"FileCreated\"\n | where FileName endswith \".h0lyenc\" or FolderPath == \"C:\\\\FOR_DECRYPT.html\"\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\n by\n AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,\n DeviceName,\n Type,\n InitiatingProcessId,\n FileName,\n FolderPath,\n EventType = ActionType,\n Commandline = InitiatingProcessCommandLine,\n InitiatingProcessFileName,\n InitiatingProcessSHA256,\n FileHashCustomEntity = SHA256,\n AlgorithmCustomEntity = \"SHA256\"\n | extend HostName = tostring(split(DeviceName, \".\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\n ),\n (imFileEvent\n | where EventType == \"FileCreated\"\n | where TargetFilePath endswith \".h0lyenc\" or TargetFilePath == \"C:\\\\FOR_DECRYPT.html\"\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\n by\n ActorUsername,\n DvcHostname,\n DvcDomain,\n DvcId,\n Type,\n EventType,\n FileHashCustomEntity = TargetFileSHA256,\n Hash,\n TargetFilePath,\n Commandline = ActingProcessCommandLine,\n AlgorithmCustomEntity = \"SHA256\"\n | extend AccountName = tostring(split(ActorUsername, @'\\')[1]), AccountDomain = tostring(split(ActorUsername, @'\\')[0])\n | extend HostName = DvcHostname, HostNameDomain = DvcDomain\n | extend DeviceName = strcat(DvcHostname, \".\", DvcDomain )\n )\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"tags": [
"Dev-0530",
{
"Schema": "ASIMFileEvent",
"SchemaVersion": "0.1.0"
}
],
"techniques": [
"T1486"
],
"templateVersion": "1.1.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}