Potential Ransomware activity related to Cobalt Strike
| Id | 4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d |
| Rulename | Potential Ransomware activity related to Cobalt Strike |
| Description | This query searches for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns. It looks for alerts that indicate potential ransomware activity, such as attempts to clear security event logs, delete backup files, and execute Cobalt Strike malware. |
| Severity | High |
| Tactics | Execution Persistence DefenseEvasion Impact |
| Techniques | T1059 T1078 T1070 T1490 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/PotentialCobaltStrikeRansomwareActivity.yaml |
| Version | 1.0.1 |
| Arm template | 4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d.json |
// Look for sc.exe disabling services
AlertInfo
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
// List alerts flagging attempts to delete backup files.
"File backups were deleted",
// Potential Cobalt Strike activity - Note that other threat activity can also
// trigger alerts for suspicious decoded content
"Suspicious decoded content",
// Cobalt Strike activity
"\'Atosev\' malware was detected",
"\'Ploty\' malware was detected",
"\'Bynoco\' malware was detected",
"\'Cobaltstrike\' malware was detected",
"Echo command over pipe on localhost",
"Known attack framework activity was observed",
"An active \'Cobaltstrike\' malware was detected",
"Suspicious \'CobaltStrike\' behavior was prevented",
"Suspicious process launch by Rundll32.exe")
| extend AlertTime = TimeGenerated | distinct AlertTime, AlertId, Title
| join AlertEvidence on $left.AlertId == $right.AlertId
| summarize by DeviceId, AlertTime, Title, AlertId
// Get device IDs
| join DeviceLogonEvents on $left.DeviceId == $right.DeviceId
// Creating 10 day Window surrounding alert activity
| where TimeGenerated < AlertTime + 12h and TimeGenerated > AlertTime - 12h // Projecting specific columns
| project Title, DeviceName, DeviceId, TimeGenerated, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName
| extend AccountFullName = tostring(strcat(AccountDomain, "\\", AccountName))
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
id: 4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d
tactics:
- Execution
- Persistence
- DefenseEvasion
- Impact
queryPeriod: 1d
triggerThreshold: 0
name: Potential Ransomware activity related to Cobalt Strike
query: |
// Look for sc.exe disabling services
AlertInfo
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
// List alerts flagging attempts to delete backup files.
"File backups were deleted",
// Potential Cobalt Strike activity - Note that other threat activity can also
// trigger alerts for suspicious decoded content
"Suspicious decoded content",
// Cobalt Strike activity
"\'Atosev\' malware was detected",
"\'Ploty\' malware was detected",
"\'Bynoco\' malware was detected",
"\'Cobaltstrike\' malware was detected",
"Echo command over pipe on localhost",
"Known attack framework activity was observed",
"An active \'Cobaltstrike\' malware was detected",
"Suspicious \'CobaltStrike\' behavior was prevented",
"Suspicious process launch by Rundll32.exe")
| extend AlertTime = TimeGenerated | distinct AlertTime, AlertId, Title
| join AlertEvidence on $left.AlertId == $right.AlertId
| summarize by DeviceId, AlertTime, Title, AlertId
// Get device IDs
| join DeviceLogonEvents on $left.DeviceId == $right.DeviceId
// Creating 10 day Window surrounding alert activity
| where TimeGenerated < AlertTime + 12h and TimeGenerated > AlertTime - 12h // Projecting specific columns
| project Title, DeviceName, DeviceId, TimeGenerated, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName
| extend AccountFullName = tostring(strcat(AccountDomain, "\\", AccountName))
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
severity: High
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1059
- T1078
- T1070
- T1490
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/PotentialCobaltStrikeRansomwareActivity.yaml
queryFrequency: 1d
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertInfo
- AlertEvidence
- DeviceLogonEvents
description: |
This query searches for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns. It looks for alerts that indicate potential ransomware activity, such as attempts to clear security event logs, delete backup files, and execute Cobalt Strike malware.
status: Available
version: 1.0.1
entityMappings:
- fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
entityType: Host
- fieldMappings:
- columnName: AccountFullName
identifier: FullName
- columnName: AccountName
identifier: Name
- columnName: AccountDomain
identifier: DnsDomain
entityType: Account
- fieldMappings:
- columnName: RemoteIP
identifier: Address
entityType: IP
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d')]",
"properties": {
"alertRuleTemplateName": "4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d",
"customDetails": null,
"description": "This query searches for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns. It looks for alerts that indicate potential ransomware activity, such as attempts to clear security event logs, delete backup files, and execute Cobalt Strike malware.\n",
"displayName": "Potential Ransomware activity related to Cobalt Strike",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountFullName",
"identifier": "FullName"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountDomain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "RemoteIP",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/PotentialCobaltStrikeRansomwareActivity.yaml",
"query": "// Look for sc.exe disabling services\nAlertInfo \n// Attempts to clear security event logs. \n| where Title in(\"Event log was cleared\", \n// List alerts flagging attempts to delete backup files. \n\"File backups were deleted\", \n// Potential Cobalt Strike activity - Note that other threat activity can also \n// trigger alerts for suspicious decoded content \n\"Suspicious decoded content\", \n// Cobalt Strike activity \n\"\\'Atosev\\' malware was detected\", \n\"\\'Ploty\\' malware was detected\", \n\"\\'Bynoco\\' malware was detected\",\n\"\\'Cobaltstrike\\' malware was detected\",\n\"Echo command over pipe on localhost\",\n\"Known attack framework activity was observed\",\n\"An active \\'Cobaltstrike\\' malware was detected\",\n\"Suspicious \\'CobaltStrike\\' behavior was prevented\",\n\"Suspicious process launch by Rundll32.exe\") \n| extend AlertTime = TimeGenerated | distinct AlertTime, AlertId, Title \n| join AlertEvidence on $left.AlertId == $right.AlertId\n| summarize by DeviceId, AlertTime, Title, AlertId\n// Get device IDs\n| join DeviceLogonEvents on $left.DeviceId == $right.DeviceId \n// Creating 10 day Window surrounding alert activity \n| where TimeGenerated < AlertTime + 12h and TimeGenerated > AlertTime - 12h // Projecting specific columns \n| project Title, DeviceName, DeviceId, TimeGenerated, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName\n| extend AccountFullName = tostring(strcat(AccountDomain, \"\\\\\", AccountName))\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Execution",
"Impact",
"Persistence"
],
"techniques": [
"T1059",
"T1070",
"T1078",
"T1490"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}