Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Remote File Creation with PsExec

Back
Id35ab0d58-baab-4154-87ed-fa2f69797e9e
RulenameRemote File Creation with PsExec
DescriptionThis query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog.

Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot.

Ryuk operators use PsExec to manually spread the ransomware to other devices.

The following query detects remote file creation events that might indicate an active attack.

The See also section below lists links to other queries associated with Ryuk ransomware.

References:

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk.AA

https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

https://docs.microsoft.com/sysinternals/downloads/psexec
SeverityHigh
TacticsLateralMovement
TechniquesT1570
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Lateral Movement/RemoteFileCreationWithPsExec.yaml
Version1.0.0
Arm template35ab0d58-baab-4154-87ed-fa2f69797e9e.json
Deploy To Azure
// Find PsExec creating multiple files on remote machines in a 10-minute window
DeviceFileEvents
// Looking for PsExec by accepteula command flag
| where InitiatingProcessCommandLine has "accepteula"
// Remote machines and file is exe
| where FolderPath has "\\\\" and FileName endswith ".exe"
| extend Exe = countof(InitiatingProcessCommandLine, ".exe")
// Checking to see if command line has 2 .exe or .bat
| where InitiatingProcessCommandLine !has ".ps1" and Exe > 1 or
InitiatingProcessCommandLine has ".bat"
// Exclusions: Remove the following line to widen scope of AHQ
| where not(InitiatingProcessCommandLine has_any("batch", "auditpol",
"script", "scripts", "illusive", "rebootrequired"))
| summarize FileCount = dcount(FolderPath), make_set(SHA1, 100000), make_set(FolderPath, 100000),
make_set(FileName, 100000), make_set(InitiatingProcessCommandLine, 100000) by DeviceId, DeviceName,
TimeWindow=bin(TimeGenerated, 10m), InitiatingProcessFileName
| where FileCount > 4
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
name: Remote File Creation with PsExec
version: 1.0.0
severity: High
queryFrequency: 1h
triggerOperator: gt
tags:
- Ryuk
- Ransomware
- PsExec
relevantTechniques:
- T1570
status: Available
description: |
  This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog.
  Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot.
  Ryuk operators use PsExec to manually spread the ransomware to other devices.
  The following query detects remote file creation events that might indicate an active attack.
  The See also section below lists links to other queries associated with Ryuk ransomware.
  References:
  https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
  https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk.AA
  https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
  https://docs.microsoft.com/sysinternals/downloads/psexec  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Lateral Movement/RemoteFileCreationWithPsExec.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
tactics:
- LateralMovement
queryPeriod: 1h
query: |
  // Find PsExec creating multiple files on remote machines in a 10-minute window
  DeviceFileEvents
  // Looking for PsExec by accepteula command flag
  | where InitiatingProcessCommandLine has "accepteula"
  // Remote machines and file is exe
  | where FolderPath has "\\\\" and FileName endswith ".exe"
  | extend Exe = countof(InitiatingProcessCommandLine, ".exe")
  // Checking to see if command line has 2 .exe or .bat
  | where InitiatingProcessCommandLine !has ".ps1" and Exe > 1 or
  InitiatingProcessCommandLine has ".bat"
  // Exclusions: Remove the following line to widen scope of AHQ
  | where not(InitiatingProcessCommandLine has_any("batch", "auditpol",
  "script", "scripts", "illusive", "rebootrequired"))
  | summarize FileCount = dcount(FolderPath), make_set(SHA1, 100000), make_set(FolderPath, 100000),
  make_set(FileName, 100000), make_set(InitiatingProcessCommandLine, 100000) by DeviceId, DeviceName,
  TimeWindow=bin(TimeGenerated, 10m), InitiatingProcessFileName
  | where FileCount > 4
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
kind: Scheduled
triggerThreshold: 0
id: 35ab0d58-baab-4154-87ed-fa2f69797e9e
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/35ab0d58-baab-4154-87ed-fa2f69797e9e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/35ab0d58-baab-4154-87ed-fa2f69797e9e')]",
      "properties": {
        "alertRuleTemplateName": "35ab0d58-baab-4154-87ed-fa2f69797e9e",
        "customDetails": null,
        "description": "This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog.\nRyuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot.\nRyuk operators use PsExec to manually spread the ransomware to other devices.\nThe following query detects remote file creation events that might indicate an active attack.\nThe See also section below lists links to other queries associated with Ryuk ransomware.\nReferences:\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\nhttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk.AA\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\nhttps://docs.microsoft.com/sysinternals/downloads/psexec\n",
        "displayName": "Remote File Creation with PsExec",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Lateral Movement/RemoteFileCreationWithPsExec.yaml",
        "query": "// Find PsExec creating multiple files on remote machines in a 10-minute window\nDeviceFileEvents\n// Looking for PsExec by accepteula command flag\n| where InitiatingProcessCommandLine has \"accepteula\"\n// Remote machines and file is exe\n| where FolderPath has \"\\\\\\\\\" and FileName endswith \".exe\"\n| extend Exe = countof(InitiatingProcessCommandLine, \".exe\")\n// Checking to see if command line has 2 .exe or .bat\n| where InitiatingProcessCommandLine !has \".ps1\" and Exe > 1 or\nInitiatingProcessCommandLine has \".bat\"\n// Exclusions: Remove the following line to widen scope of AHQ\n| where not(InitiatingProcessCommandLine has_any(\"batch\", \"auditpol\",\n\"script\", \"scripts\", \"illusive\", \"rebootrequired\"))\n| summarize FileCount = dcount(FolderPath), make_set(SHA1, 100000), make_set(FolderPath, 100000),\nmake_set(FileName, 100000), make_set(InitiatingProcessCommandLine, 100000) by DeviceId, DeviceName,\nTimeWindow=bin(TimeGenerated, 10m), InitiatingProcessFileName\n| where FileCount > 4\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "tags": [
          "Ryuk",
          "Ransomware",
          "PsExec"
        ],
        "techniques": [
          "T1570"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}