Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dev-0530 File Extension Rename

Back
Idd82eb796-d1eb-43c8-a813-325ce3417cef
RulenameDev-0530 File Extension Rename
DescriptionDev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml
Version1.1.1
Arm templated82eb796-d1eb-43c8-a813-325ce3417cef.json
Deploy To Azure
union isfuzzy=true
    (DeviceFileEvents
    | where ActionType == "FileCreated"
    | where FileName endswith ".h0lyenc" or FolderPath == "C:\\FOR_DECRYPT.html"
    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
        by
        AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,
        DeviceName,
        Type,
        InitiatingProcessId,
        FileName,
        FolderPath,
        EventType = ActionType,
        Commandline = InitiatingProcessCommandLine,
        InitiatingProcessFileName,
        InitiatingProcessSHA256,
        FileHashCustomEntity = SHA256,
        AlgorithmCustomEntity = "SHA256"
    | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
    | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
    ),
    (imFileEvent
    | where EventType == "FileCreated"
    | where TargetFilePath endswith ".h0lyenc" or TargetFilePath == "C:\\FOR_DECRYPT.html"
    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
        by
        ActorUsername,
        DvcHostname,
        DvcDomain,
        DvcId,
        Type,
        EventType,
        FileHashCustomEntity = TargetFileSHA256,
        Hash,
        TargetFilePath,
        Commandline = ActingProcessCommandLine,
        AlgorithmCustomEntity = "SHA256"
    | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountDomain = tostring(split(ActorUsername, @'\')[0])
    | extend HostName = DvcHostname, HostNameDomain = DvcDomain
    | extend DeviceName = strcat(DvcHostname, ".", DvcDomain )
    )
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml
metadata:
  categories:
    domains:
    - Security - Others
  author:
    name: Microsoft Security Research
  source:
    kind: Community
  support:
    tier: Community
id: d82eb796-d1eb-43c8-a813-325ce3417cef
query: |
  union isfuzzy=true
      (DeviceFileEvents
      | where ActionType == "FileCreated"
      | where FileName endswith ".h0lyenc" or FolderPath == "C:\\FOR_DECRYPT.html"
      | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
          by
          AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,
          DeviceName,
          Type,
          InitiatingProcessId,
          FileName,
          FolderPath,
          EventType = ActionType,
          Commandline = InitiatingProcessCommandLine,
          InitiatingProcessFileName,
          InitiatingProcessSHA256,
          FileHashCustomEntity = SHA256,
          AlgorithmCustomEntity = "SHA256"
      | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
      | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
      ),
      (imFileEvent
      | where EventType == "FileCreated"
      | where TargetFilePath endswith ".h0lyenc" or TargetFilePath == "C:\\FOR_DECRYPT.html"
      | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
          by
          ActorUsername,
          DvcHostname,
          DvcDomain,
          DvcId,
          Type,
          EventType,
          FileHashCustomEntity = TargetFileSHA256,
          Hash,
          TargetFilePath,
          Commandline = ActingProcessCommandLine,
          AlgorithmCustomEntity = "SHA256"
      | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountDomain = tostring(split(ActorUsername, @'\')[0])
      | extend HostName = DvcHostname, HostNameDomain = DvcDomain
      | extend DeviceName = strcat(DvcHostname, ".", DvcDomain )
      )  
tags:
- Dev-0530
- SchemaVersion: 0.1.0
  Schema: ASIMFileEvent
description: |
    'Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.'
name: Dev-0530 File Extension Rename
relevantTechniques:
- T1486
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: ActorUserName
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: AlgorithmCustomEntity
  - identifier: Value
    columnName: FileHashCustomEntity
triggerThreshold: 0
severity: High
requiredDataConnectors:
- dataTypes:
  - DeviceFileEvents
  connectorId: MicrosoftThreatProtection
queryFrequency: 1d
queryPeriod: 1d
version: 1.1.1
kind: Scheduled
tactics:
- Impact
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d82eb796-d1eb-43c8-a813-325ce3417cef')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d82eb796-d1eb-43c8-a813-325ce3417cef')]",
      "properties": {
        "alertRuleTemplateName": "d82eb796-d1eb-43c8-a813-325ce3417cef",
        "customDetails": null,
        "description": "'Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.'\n",
        "displayName": "Dev-0530 File Extension Rename",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ActorUserName",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "AlgorithmCustomEntity",
                "identifier": "Algorithm"
              },
              {
                "columnName": "FileHashCustomEntity",
                "identifier": "Value"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml",
        "query": "union isfuzzy=true\n    (DeviceFileEvents\n    | where ActionType == \"FileCreated\"\n    | where FileName endswith \".h0lyenc\" or FolderPath == \"C:\\\\FOR_DECRYPT.html\"\n    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\n        by\n        AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,\n        DeviceName,\n        Type,\n        InitiatingProcessId,\n        FileName,\n        FolderPath,\n        EventType = ActionType,\n        Commandline = InitiatingProcessCommandLine,\n        InitiatingProcessFileName,\n        InitiatingProcessSHA256,\n        FileHashCustomEntity = SHA256,\n        AlgorithmCustomEntity = \"SHA256\"\n    | extend HostName = tostring(split(DeviceName, \".\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\n    | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\n    ),\n    (imFileEvent\n    | where EventType == \"FileCreated\"\n    | where TargetFilePath endswith \".h0lyenc\" or TargetFilePath == \"C:\\\\FOR_DECRYPT.html\"\n    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\n        by\n        ActorUsername,\n        DvcHostname,\n        DvcDomain,\n        DvcId,\n        Type,\n        EventType,\n        FileHashCustomEntity = TargetFileSHA256,\n        Hash,\n        TargetFilePath,\n        Commandline = ActingProcessCommandLine,\n        AlgorithmCustomEntity = \"SHA256\"\n    | extend AccountName = tostring(split(ActorUsername, @'\\')[1]), AccountDomain = tostring(split(ActorUsername, @'\\')[0])\n    | extend HostName = DvcHostname, HostNameDomain = DvcDomain\n    | extend DeviceName = strcat(DvcHostname, \".\", DvcDomain )\n    )\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "tags": [
          "Dev-0530",
          {
            "Schema": "ASIMFileEvent",
            "SchemaVersion": "0.1.0"
          }
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.1.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}