Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Doppelpaymer Stop Services

Doppelpaymer Stop Services

Back
Id5bdc1504-880c-4b30-a39c-7c746535928d
RulenameDoppelpaymer Stop Services
DescriptionThis query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.

DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization.

The following query detects attempts to stop security services.

The See also section below lists links to other queries associated with DoppelPaymer.

References:

https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB
SeverityHigh
TacticsExecution
DefenseEvasion
TechniquesT1059
T1562
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/DoppelpaymerStopService.yaml
Version1.0.0
Arm template5bdc1504-880c-4b30-a39c-7c746535928d.json
Deploy To Azure
// Attempts to stop services and allow ransomware execution
DeviceProcessEvents
| where InitiatingProcessFileName startswith "psexe" and FileName =~ "powershell.exe" and
  ProcessCommandLine has "stop-service" and ProcessCommandLine has "sql" and ProcessCommandLine has "msexchange"
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

relevantTechniques:
- T1059
- T1562
name: Doppelpaymer Stop Services
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
triggerThreshold: 0
id: 5bdc1504-880c-4b30-a39c-7c746535928d
tactics:
- Execution
- DefenseEvasion
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/DoppelpaymerStopService.yaml
queryPeriod: 1h
kind: Scheduled
tags:
- DoppelPaymer
- Ransomware
queryFrequency: 1h
severity: High
status: Available
description: |
  This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.
  DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization.
  The following query detects attempts to stop security services.
  The See also section below lists links to other queries associated with DoppelPaymer.
  References:
  https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/
  https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB  
query: |
  // Attempts to stop services and allow ransomware execution
  DeviceProcessEvents
  | where InitiatingProcessFileName startswith "psexe" and FileName =~ "powershell.exe" and
    ProcessCommandLine has "stop-service" and ProcessCommandLine has "sql" and ProcessCommandLine has "msexchange"
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5bdc1504-880c-4b30-a39c-7c746535928d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5bdc1504-880c-4b30-a39c-7c746535928d')]",
      "properties": {
        "alertRuleTemplateName": "5bdc1504-880c-4b30-a39c-7c746535928d",
        "customDetails": null,
        "description": "This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.\nDoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization.\nThe following query detects attempts to stop security services.\nThe See also section below lists links to other queries associated with DoppelPaymer.\nReferences:\nhttps://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/\nhttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB\n",
        "displayName": "Doppelpaymer Stop Services",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/DoppelpaymerStopService.yaml",
        "query": "// Attempts to stop services and allow ransomware execution\nDeviceProcessEvents\n| where InitiatingProcessFileName startswith \"psexe\" and FileName =~ \"powershell.exe\" and\n  ProcessCommandLine has \"stop-service\" and ProcessCommandLine has \"sql\" and ProcessCommandLine has \"msexchange\"\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Execution"
        ],
        "tags": [
          "DoppelPaymer",
          "Ransomware"
        ],
        "techniques": [
          "T1059",
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}