Imminent Ransomware
| Id | bb46dd86-e642-48a4-975c-44f5ac2b5033 |
| Rulename | Imminent Ransomware |
| Description | This query checks for a series of commands that are commonly used by attackers to disable security tools and system recovery tools before deploying Macaw ransomware in an organization. |
| Severity | High |
| Tactics | DefenseEvasion Persistence |
| Techniques | T1562 T1547 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Macaw Ransomware/ImminentRansomware.yaml |
| Version | 1.0.0 |
| Arm template | bb46dd86-e642-48a4-975c-44f5ac2b5033.json |
_ASim_ProcessEvent
// Pivot on specific commands
| where CommandLine has_any("-ExclusionPath", "Set-MpPreference", "advfirewall", "-ExclusionExtension",
"-EnableControlledFolderAccess", "windefend", "onstart", "bcdedit", "Startup")
// Making list of found commands
| summarize CommandLine = make_set(CommandLine, 10000) by DvcId, Dvc, bin(TimeGenerated, 6h)
// Extending columns for later aggregration, based on TTP
| extend StartUpExclusionPath = iff(CommandLine has_all("-ExclusionPath", "Startup"), 1, 0)
| extend DefenderTamp = iff(CommandLine has "Set-MpPreference"
and CommandLine has_any(
"-SevereThreatDefaultAction 6"
"-HighThreatDefaultAction 6",
"-ModerateThreatDefaultAction 6",
"-LowThreatDefaultAction 6"
"-ScanScheduleDay 8"), 1, 0)
| extend NetshFirewallTampering = iff(CommandLine has_all( "netsh", "advfirewall", "allprofiles state off"), 1, 0)
| extend BatExclusion = iff(CommandLine has_all("-ExclusionExtension", ".bat"), 1, 0)
| extend ExeExclusion = iff(CommandLine has_all("-ExclusionExtension", ".exe"), 1, 0)
| extend DisableControlledFolderAccess = iff(CommandLine has_all("-EnableControlledFolderAccess", "Disabled"), 1, 0)
| extend ScDeleteDefend = iff(CommandLine has_all("sc", "delete", "windefend"), 1, 0)
| extend BootTampering = iff(CommandLine has_all("bcdedit", "default") and CommandLine has_any ("recoveryenabled No", "bootstatuspolicy ignoreallfailures"), 1, 0)
| extend SchTasks = iff(CommandLine has_all("/sc", "onstart", "system", "/create", "/delay"), 1, 0)
// Summarizing found commands
| summarize by NetshFirewallTampering ,BatExclusion, ExeExclusion, DisableControlledFolderAccess, ScDeleteDefend, SchTasks, BootTampering, DefenderTamp, StartUpExclusionPath, DvcId, Dvc, TimeGenerated
// Adding up each piece of evidence
| extend EvidenceCount = NetshFirewallTampering + BatExclusion + ExeExclusion + DisableControlledFolderAccess + ScDeleteDefend + SchTasks + BootTampering + DefenderTamp + StartUpExclusionPath
| where EvidenceCount > 4
| extend HostName = iff(Dvc has '.', substring(Dvc, 0, indexof(Dvc, '.')), Dvc)
| extend DnsDomain = iff(Dvc has '.', substring(Dvc, indexof(Dvc, '.') + 1), "")
description: |
This query checks for a series of commands that are commonly used by attackers to disable security tools and system recovery tools before deploying Macaw ransomware in an organization.
kind: Scheduled
tactics:
- DefenseEvasion
- Persistence
requiredDataConnectors: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Macaw Ransomware/ImminentRansomware.yaml
severity: High
name: Imminent Ransomware
triggerThreshold: 0
queryPeriod: 1h
query: |
_ASim_ProcessEvent
// Pivot on specific commands
| where CommandLine has_any("-ExclusionPath", "Set-MpPreference", "advfirewall", "-ExclusionExtension",
"-EnableControlledFolderAccess", "windefend", "onstart", "bcdedit", "Startup")
// Making list of found commands
| summarize CommandLine = make_set(CommandLine, 10000) by DvcId, Dvc, bin(TimeGenerated, 6h)
// Extending columns for later aggregration, based on TTP
| extend StartUpExclusionPath = iff(CommandLine has_all("-ExclusionPath", "Startup"), 1, 0)
| extend DefenderTamp = iff(CommandLine has "Set-MpPreference"
and CommandLine has_any(
"-SevereThreatDefaultAction 6"
"-HighThreatDefaultAction 6",
"-ModerateThreatDefaultAction 6",
"-LowThreatDefaultAction 6"
"-ScanScheduleDay 8"), 1, 0)
| extend NetshFirewallTampering = iff(CommandLine has_all( "netsh", "advfirewall", "allprofiles state off"), 1, 0)
| extend BatExclusion = iff(CommandLine has_all("-ExclusionExtension", ".bat"), 1, 0)
| extend ExeExclusion = iff(CommandLine has_all("-ExclusionExtension", ".exe"), 1, 0)
| extend DisableControlledFolderAccess = iff(CommandLine has_all("-EnableControlledFolderAccess", "Disabled"), 1, 0)
| extend ScDeleteDefend = iff(CommandLine has_all("sc", "delete", "windefend"), 1, 0)
| extend BootTampering = iff(CommandLine has_all("bcdedit", "default") and CommandLine has_any ("recoveryenabled No", "bootstatuspolicy ignoreallfailures"), 1, 0)
| extend SchTasks = iff(CommandLine has_all("/sc", "onstart", "system", "/create", "/delay"), 1, 0)
// Summarizing found commands
| summarize by NetshFirewallTampering ,BatExclusion, ExeExclusion, DisableControlledFolderAccess, ScDeleteDefend, SchTasks, BootTampering, DefenderTamp, StartUpExclusionPath, DvcId, Dvc, TimeGenerated
// Adding up each piece of evidence
| extend EvidenceCount = NetshFirewallTampering + BatExclusion + ExeExclusion + DisableControlledFolderAccess + ScDeleteDefend + SchTasks + BootTampering + DefenderTamp + StartUpExclusionPath
| where EvidenceCount > 4
| extend HostName = iff(Dvc has '.', substring(Dvc, 0, indexof(Dvc, '.')), Dvc)
| extend DnsDomain = iff(Dvc has '.', substring(Dvc, indexof(Dvc, '.') + 1), "")
relevantTechniques:
- T1562
- T1547
id: bb46dd86-e642-48a4-975c-44f5ac2b5033
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.0
tags:
- Schema: _ASim_ProcessEvent
SchemaVersion: 0.1.4
- Ransomware Campaign
- Macaw Ransomware
entityMappings:
- entityType: Host
fieldMappings:
- columnName: Dvc
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain