Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Potential Ransomware activity related to Cobalt Strike

Back
Id4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d
RulenamePotential Ransomware activity related to Cobalt Strike
DescriptionThis query searches for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns. It looks for alerts that indicate potential ransomware activity, such as attempts to clear security event logs, delete backup files, and execute Cobalt Strike malware.
SeverityHigh
TacticsExecution
Persistence
DefenseEvasion
Impact
TechniquesT1059
T1078
T1070
T1490
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/PotentialCobaltStrikeRansomwareActivity.yaml
Version1.0.1
Arm template4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d.json
Deploy To Azure
// Look for sc.exe disabling services
AlertInfo 
// Attempts to clear security event logs. 
| where Title in("Event log was cleared", 
// List alerts flagging attempts to delete backup files. 
"File backups were deleted", 
// Potential Cobalt Strike activity - Note that other threat activity can also 
// trigger alerts for suspicious decoded content 
"Suspicious decoded content", 
// Cobalt Strike activity 
"\'Atosev\' malware was detected", 
"\'Ploty\' malware was detected", 
"\'Bynoco\' malware was detected",
"\'Cobaltstrike\' malware was detected",
"Echo command over pipe on localhost",
"Known attack framework activity was observed",
"An active \'Cobaltstrike\' malware was detected",
"Suspicious \'CobaltStrike\' behavior was prevented",
"Suspicious process launch by Rundll32.exe") 
| extend AlertTime = TimeGenerated | distinct AlertTime, AlertId, Title 
| join AlertEvidence on $left.AlertId == $right.AlertId
| summarize by DeviceId, AlertTime, Title, AlertId
// Get device IDs
| join DeviceLogonEvents on $left.DeviceId == $right.DeviceId 
// Creating 10 day Window surrounding alert activity 
| where TimeGenerated < AlertTime + 12h and TimeGenerated > AlertTime - 12h // Projecting specific columns 
| project Title, DeviceName, DeviceId, TimeGenerated, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName
| extend AccountFullName = tostring(strcat(AccountDomain, "\\", AccountName))
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
name: Potential Ransomware activity related to Cobalt Strike
version: 1.0.1
severity: High
queryFrequency: 1d
triggerOperator: gt
relevantTechniques:
- T1059
- T1078
- T1070
- T1490
status: Available
description: |
    This query searches for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns. It looks for alerts that indicate potential ransomware activity, such as attempts to clear security event logs, delete backup files, and execute Cobalt Strike malware.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/PotentialCobaltStrikeRansomwareActivity.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - AlertInfo
  - AlertEvidence
  - DeviceLogonEvents
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
- fieldMappings:
  - identifier: FullName
    columnName: AccountFullName
  - identifier: Name
    columnName: AccountName
  - identifier: DnsDomain
    columnName: AccountDomain
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: RemoteIP
  entityType: IP
tactics:
- Execution
- Persistence
- DefenseEvasion
- Impact
queryPeriod: 1d
query: |
  // Look for sc.exe disabling services
  AlertInfo 
  // Attempts to clear security event logs. 
  | where Title in("Event log was cleared", 
  // List alerts flagging attempts to delete backup files. 
  "File backups were deleted", 
  // Potential Cobalt Strike activity - Note that other threat activity can also 
  // trigger alerts for suspicious decoded content 
  "Suspicious decoded content", 
  // Cobalt Strike activity 
  "\'Atosev\' malware was detected", 
  "\'Ploty\' malware was detected", 
  "\'Bynoco\' malware was detected",
  "\'Cobaltstrike\' malware was detected",
  "Echo command over pipe on localhost",
  "Known attack framework activity was observed",
  "An active \'Cobaltstrike\' malware was detected",
  "Suspicious \'CobaltStrike\' behavior was prevented",
  "Suspicious process launch by Rundll32.exe") 
  | extend AlertTime = TimeGenerated | distinct AlertTime, AlertId, Title 
  | join AlertEvidence on $left.AlertId == $right.AlertId
  | summarize by DeviceId, AlertTime, Title, AlertId
  // Get device IDs
  | join DeviceLogonEvents on $left.DeviceId == $right.DeviceId 
  // Creating 10 day Window surrounding alert activity 
  | where TimeGenerated < AlertTime + 12h and TimeGenerated > AlertTime - 12h // Projecting specific columns 
  | project Title, DeviceName, DeviceId, TimeGenerated, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName
  | extend AccountFullName = tostring(strcat(AccountDomain, "\\", AccountName))
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
kind: Scheduled
triggerThreshold: 0
id: 4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d')]",
      "properties": {
        "alertRuleTemplateName": "4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d",
        "customDetails": null,
        "description": "This query searches for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns. It looks for alerts that indicate potential ransomware activity, such as attempts to clear security event logs, delete backup files, and execute Cobalt Strike malware.\n",
        "displayName": "Potential Ransomware activity related to Cobalt Strike",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountFullName",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "RemoteIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/PotentialCobaltStrikeRansomwareActivity.yaml",
        "query": "// Look for sc.exe disabling services\nAlertInfo \n// Attempts to clear security event logs. \n| where Title in(\"Event log was cleared\", \n// List alerts flagging attempts to delete backup files. \n\"File backups were deleted\", \n// Potential Cobalt Strike activity - Note that other threat activity can also \n// trigger alerts for suspicious decoded content \n\"Suspicious decoded content\", \n// Cobalt Strike activity \n\"\\'Atosev\\' malware was detected\", \n\"\\'Ploty\\' malware was detected\", \n\"\\'Bynoco\\' malware was detected\",\n\"\\'Cobaltstrike\\' malware was detected\",\n\"Echo command over pipe on localhost\",\n\"Known attack framework activity was observed\",\n\"An active \\'Cobaltstrike\\' malware was detected\",\n\"Suspicious \\'CobaltStrike\\' behavior was prevented\",\n\"Suspicious process launch by Rundll32.exe\") \n| extend AlertTime = TimeGenerated | distinct AlertTime, AlertId, Title \n| join AlertEvidence on $left.AlertId == $right.AlertId\n| summarize by DeviceId, AlertTime, Title, AlertId\n// Get device IDs\n| join DeviceLogonEvents on $left.DeviceId == $right.DeviceId \n// Creating 10 day Window surrounding alert activity \n| where TimeGenerated < AlertTime + 12h and TimeGenerated > AlertTime - 12h // Projecting specific columns \n| project Title, DeviceName, DeviceId, TimeGenerated, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName\n| extend AccountFullName = tostring(strcat(AccountDomain, \"\\\\\", AccountName))\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Execution",
          "Impact",
          "Persistence"
        ],
        "techniques": [
          "T1059",
          "T1070",
          "T1078",
          "T1490"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}