Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Imminent Ransomware

Back
Idbb46dd86-e642-48a4-975c-44f5ac2b5033
RulenameImminent Ransomware
DescriptionThis query checks for a series of commands that are commonly used by attackers to disable security tools and system recovery tools before deploying Macaw ransomware in an organization.
SeverityHigh
TacticsDefenseEvasion
Persistence
TechniquesT1562
T1547
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Macaw Ransomware/ImminentRansomware.yaml
Version1.0.0
Arm templatebb46dd86-e642-48a4-975c-44f5ac2b5033.json
Deploy To Azure
_ASim_ProcessEvent 
// Pivot on specific commands 
| where CommandLine has_any("-ExclusionPath", "Set-MpPreference", "advfirewall", "-ExclusionExtension", 
"-EnableControlledFolderAccess", "windefend", "onstart", "bcdedit", "Startup") 
// Making list of found commands 
| summarize CommandLine = make_set(CommandLine, 10000) by DvcId, Dvc, bin(TimeGenerated, 6h) 
// Extending columns for later aggregration, based on TTP
| extend StartUpExclusionPath = iff(CommandLine has_all("-ExclusionPath", "Startup"), 1, 0) 
| extend DefenderTamp = iff(CommandLine has "Set-MpPreference" 
and CommandLine has_any( 
"-SevereThreatDefaultAction 6" 
"-HighThreatDefaultAction 6", 
"-ModerateThreatDefaultAction 6", 
"-LowThreatDefaultAction 6" 
"-ScanScheduleDay 8"), 1, 0) 
| extend NetshFirewallTampering = iff(CommandLine has_all( "netsh", "advfirewall", "allprofiles state off"), 1, 0) 
| extend BatExclusion = iff(CommandLine has_all("-ExclusionExtension", ".bat"), 1, 0) 
| extend ExeExclusion = iff(CommandLine has_all("-ExclusionExtension", ".exe"), 1, 0) 
| extend DisableControlledFolderAccess = iff(CommandLine has_all("-EnableControlledFolderAccess", "Disabled"), 1, 0) 
| extend ScDeleteDefend = iff(CommandLine has_all("sc", "delete", "windefend"), 1, 0) 
| extend BootTampering = iff(CommandLine has_all("bcdedit", "default") and CommandLine has_any ("recoveryenabled No", "bootstatuspolicy ignoreallfailures"), 1, 0) 
| extend SchTasks = iff(CommandLine has_all("/sc", "onstart", "system", "/create", "/delay"), 1, 0) 
// Summarizing found commands 
| summarize by NetshFirewallTampering ,BatExclusion, ExeExclusion, DisableControlledFolderAccess, ScDeleteDefend, SchTasks, BootTampering, DefenderTamp, StartUpExclusionPath, DvcId, Dvc, TimeGenerated 
// Adding up each piece of evidence 
| extend EvidenceCount = NetshFirewallTampering + BatExclusion + ExeExclusion + DisableControlledFolderAccess + ScDeleteDefend + SchTasks + BootTampering + DefenderTamp + StartUpExclusionPath 
| where EvidenceCount > 4
| extend HostName = iff(Dvc has '.', substring(Dvc, 0, indexof(Dvc, '.')), Dvc)
| extend DnsDomain = iff(Dvc has '.', substring(Dvc, indexof(Dvc, '.') + 1), "")
name: Imminent Ransomware
version: 1.0.0
severity: High
queryFrequency: 1h
triggerOperator: gt
tags:
- Schema: _ASim_ProcessEvent
  SchemaVersion: 0.1.4
- Ransomware Campaign
- Macaw Ransomware
relevantTechniques:
- T1562
- T1547
status: Available
description: |
    This query checks for a series of commands that are commonly used by attackers to disable security tools and system recovery tools before deploying Macaw ransomware in an organization.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Macaw Ransomware/ImminentRansomware.yaml
requiredDataConnectors: []
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Dvc
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
tactics:
- DefenseEvasion
- Persistence
queryPeriod: 1h
query: |
  _ASim_ProcessEvent 
  // Pivot on specific commands 
  | where CommandLine has_any("-ExclusionPath", "Set-MpPreference", "advfirewall", "-ExclusionExtension", 
  "-EnableControlledFolderAccess", "windefend", "onstart", "bcdedit", "Startup") 
  // Making list of found commands 
  | summarize CommandLine = make_set(CommandLine, 10000) by DvcId, Dvc, bin(TimeGenerated, 6h) 
  // Extending columns for later aggregration, based on TTP
  | extend StartUpExclusionPath = iff(CommandLine has_all("-ExclusionPath", "Startup"), 1, 0) 
  | extend DefenderTamp = iff(CommandLine has "Set-MpPreference" 
  and CommandLine has_any( 
  "-SevereThreatDefaultAction 6" 
  "-HighThreatDefaultAction 6", 
  "-ModerateThreatDefaultAction 6", 
  "-LowThreatDefaultAction 6" 
  "-ScanScheduleDay 8"), 1, 0) 
  | extend NetshFirewallTampering = iff(CommandLine has_all( "netsh", "advfirewall", "allprofiles state off"), 1, 0) 
  | extend BatExclusion = iff(CommandLine has_all("-ExclusionExtension", ".bat"), 1, 0) 
  | extend ExeExclusion = iff(CommandLine has_all("-ExclusionExtension", ".exe"), 1, 0) 
  | extend DisableControlledFolderAccess = iff(CommandLine has_all("-EnableControlledFolderAccess", "Disabled"), 1, 0) 
  | extend ScDeleteDefend = iff(CommandLine has_all("sc", "delete", "windefend"), 1, 0) 
  | extend BootTampering = iff(CommandLine has_all("bcdedit", "default") and CommandLine has_any ("recoveryenabled No", "bootstatuspolicy ignoreallfailures"), 1, 0) 
  | extend SchTasks = iff(CommandLine has_all("/sc", "onstart", "system", "/create", "/delay"), 1, 0) 
  // Summarizing found commands 
  | summarize by NetshFirewallTampering ,BatExclusion, ExeExclusion, DisableControlledFolderAccess, ScDeleteDefend, SchTasks, BootTampering, DefenderTamp, StartUpExclusionPath, DvcId, Dvc, TimeGenerated 
  // Adding up each piece of evidence 
  | extend EvidenceCount = NetshFirewallTampering + BatExclusion + ExeExclusion + DisableControlledFolderAccess + ScDeleteDefend + SchTasks + BootTampering + DefenderTamp + StartUpExclusionPath 
  | where EvidenceCount > 4
  | extend HostName = iff(Dvc has '.', substring(Dvc, 0, indexof(Dvc, '.')), Dvc)
  | extend DnsDomain = iff(Dvc has '.', substring(Dvc, indexof(Dvc, '.') + 1), "")  
kind: Scheduled
triggerThreshold: 0
id: bb46dd86-e642-48a4-975c-44f5ac2b5033
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bb46dd86-e642-48a4-975c-44f5ac2b5033')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bb46dd86-e642-48a4-975c-44f5ac2b5033')]",
      "properties": {
        "alertRuleTemplateName": "bb46dd86-e642-48a4-975c-44f5ac2b5033",
        "customDetails": null,
        "description": "This query checks for a series of commands that are commonly used by attackers to disable security tools and system recovery tools before deploying Macaw ransomware in an organization.\n",
        "displayName": "Imminent Ransomware",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Dvc",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Campaign/Macaw Ransomware/ImminentRansomware.yaml",
        "query": "_ASim_ProcessEvent \n// Pivot on specific commands \n| where CommandLine has_any(\"-ExclusionPath\", \"Set-MpPreference\", \"advfirewall\", \"-ExclusionExtension\", \n\"-EnableControlledFolderAccess\", \"windefend\", \"onstart\", \"bcdedit\", \"Startup\") \n// Making list of found commands \n| summarize CommandLine = make_set(CommandLine, 10000) by DvcId, Dvc, bin(TimeGenerated, 6h) \n// Extending columns for later aggregration, based on TTP\n| extend StartUpExclusionPath = iff(CommandLine has_all(\"-ExclusionPath\", \"Startup\"), 1, 0) \n| extend DefenderTamp = iff(CommandLine has \"Set-MpPreference\" \nand CommandLine has_any( \n\"-SevereThreatDefaultAction 6\" \n\"-HighThreatDefaultAction 6\", \n\"-ModerateThreatDefaultAction 6\", \n\"-LowThreatDefaultAction 6\" \n\"-ScanScheduleDay 8\"), 1, 0) \n| extend NetshFirewallTampering = iff(CommandLine has_all( \"netsh\", \"advfirewall\", \"allprofiles state off\"), 1, 0) \n| extend BatExclusion = iff(CommandLine has_all(\"-ExclusionExtension\", \".bat\"), 1, 0) \n| extend ExeExclusion = iff(CommandLine has_all(\"-ExclusionExtension\", \".exe\"), 1, 0) \n| extend DisableControlledFolderAccess = iff(CommandLine has_all(\"-EnableControlledFolderAccess\", \"Disabled\"), 1, 0) \n| extend ScDeleteDefend = iff(CommandLine has_all(\"sc\", \"delete\", \"windefend\"), 1, 0) \n| extend BootTampering = iff(CommandLine has_all(\"bcdedit\", \"default\") and CommandLine has_any (\"recoveryenabled No\", \"bootstatuspolicy ignoreallfailures\"), 1, 0) \n| extend SchTasks = iff(CommandLine has_all(\"/sc\", \"onstart\", \"system\", \"/create\", \"/delay\"), 1, 0) \n// Summarizing found commands \n| summarize by NetshFirewallTampering ,BatExclusion, ExeExclusion, DisableControlledFolderAccess, ScDeleteDefend, SchTasks, BootTampering, DefenderTamp, StartUpExclusionPath, DvcId, Dvc, TimeGenerated \n// Adding up each piece of evidence \n| extend EvidenceCount = NetshFirewallTampering + BatExclusion + ExeExclusion + DisableControlledFolderAccess + ScDeleteDefend + SchTasks + BootTampering + DefenderTamp + StartUpExclusionPath \n| where EvidenceCount > 4\n| extend HostName = iff(Dvc has '.', substring(Dvc, 0, indexof(Dvc, '.')), Dvc)\n| extend DnsDomain = iff(Dvc has '.', substring(Dvc, indexof(Dvc, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Persistence"
        ],
        "tags": [
          {
            "Schema": "_ASim_ProcessEvent",
            "SchemaVersion": "0.1.4"
          },
          "Ransomware Campaign",
          "Macaw Ransomware"
        ],
        "techniques": [
          "T1547",
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}