Dev-0530 File Extension Rename
| Id | d82eb796-d1eb-43c8-a813-325ce3417cef |
| Rulename | Dev-0530 File Extension Rename |
| Description | Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note. |
| Severity | High |
| Tactics | Impact |
| Techniques | T1486 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml |
| Version | 1.1.1 |
| Arm template | d82eb796-d1eb-43c8-a813-325ce3417cef.json |
union isfuzzy=true
(DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".h0lyenc" or FolderPath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,
DeviceName,
Type,
InitiatingProcessId,
FileName,
FolderPath,
EventType = ActionType,
Commandline = InitiatingProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessSHA256,
FileHashCustomEntity = SHA256,
AlgorithmCustomEntity = "SHA256"
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
),
(imFileEvent
| where EventType == "FileCreated"
| where TargetFilePath endswith ".h0lyenc" or TargetFilePath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
ActorUsername,
DvcHostname,
DvcDomain,
DvcId,
Type,
EventType,
FileHashCustomEntity = TargetFileSHA256,
Hash,
TargetFilePath,
Commandline = ActingProcessCommandLine,
AlgorithmCustomEntity = "SHA256"
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = DvcHostname, HostNameDomain = DvcDomain
| extend DeviceName = strcat(DvcHostname, ".", DvcDomain )
)
description: |
'Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.'
tactics:
- Impact
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tags:
- Dev-0530
- Schema: ASIMFileEvent
SchemaVersion: 0.1.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml
query: |
union isfuzzy=true
(DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".h0lyenc" or FolderPath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,
DeviceName,
Type,
InitiatingProcessId,
FileName,
FolderPath,
EventType = ActionType,
Commandline = InitiatingProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessSHA256,
FileHashCustomEntity = SHA256,
AlgorithmCustomEntity = "SHA256"
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
),
(imFileEvent
| where EventType == "FileCreated"
| where TargetFilePath endswith ".h0lyenc" or TargetFilePath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
ActorUsername,
DvcHostname,
DvcDomain,
DvcId,
Type,
EventType,
FileHashCustomEntity = TargetFileSHA256,
Hash,
TargetFilePath,
Commandline = ActingProcessCommandLine,
AlgorithmCustomEntity = "SHA256"
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = DvcHostname, HostNameDomain = DvcDomain
| extend DeviceName = strcat(DvcHostname, ".", DvcDomain )
)
version: 1.1.1
entityMappings:
- entityType: Account
fieldMappings:
- columnName: ActorUserName
identifier: FullName
- columnName: AccountName
identifier: Name
- columnName: AccountDomain
identifier: NTDomain
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: HostNameDomain
identifier: DnsDomain
- entityType: FileHash
fieldMappings:
- columnName: AlgorithmCustomEntity
identifier: Algorithm
- columnName: FileHashCustomEntity
identifier: Value
metadata:
author:
name: Microsoft Security Research
source:
kind: Community
categories:
domains:
- Security - Others
support:
tier: Community
id: d82eb796-d1eb-43c8-a813-325ce3417cef
kind: Scheduled
relevantTechniques:
- T1486
severity: High
triggerThreshold: 0
queryPeriod: 1d
triggerOperator: gt
name: Dev-0530 File Extension Rename
queryFrequency: 1d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d82eb796-d1eb-43c8-a813-325ce3417cef')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d82eb796-d1eb-43c8-a813-325ce3417cef')]",
"properties": {
"alertRuleTemplateName": "d82eb796-d1eb-43c8-a813-325ce3417cef",
"customDetails": null,
"description": "'Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.'\n",
"displayName": "Dev-0530 File Extension Rename",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ActorUserName",
"identifier": "FullName"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "HostNameDomain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "AlgorithmCustomEntity",
"identifier": "Algorithm"
},
{
"columnName": "FileHashCustomEntity",
"identifier": "Value"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml",
"query": "union isfuzzy=true\n (DeviceFileEvents\n | where ActionType == \"FileCreated\"\n | where FileName endswith \".h0lyenc\" or FolderPath == \"C:\\\\FOR_DECRYPT.html\"\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\n by\n AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,\n DeviceName,\n Type,\n InitiatingProcessId,\n FileName,\n FolderPath,\n EventType = ActionType,\n Commandline = InitiatingProcessCommandLine,\n InitiatingProcessFileName,\n InitiatingProcessSHA256,\n FileHashCustomEntity = SHA256,\n AlgorithmCustomEntity = \"SHA256\"\n | extend HostName = tostring(split(DeviceName, \".\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\n ),\n (imFileEvent\n | where EventType == \"FileCreated\"\n | where TargetFilePath endswith \".h0lyenc\" or TargetFilePath == \"C:\\\\FOR_DECRYPT.html\"\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\n by\n ActorUsername,\n DvcHostname,\n DvcDomain,\n DvcId,\n Type,\n EventType,\n FileHashCustomEntity = TargetFileSHA256,\n Hash,\n TargetFilePath,\n Commandline = ActingProcessCommandLine,\n AlgorithmCustomEntity = \"SHA256\"\n | extend AccountName = tostring(split(ActorUsername, @'\\')[1]), AccountDomain = tostring(split(ActorUsername, @'\\')[0])\n | extend HostName = DvcHostname, HostNameDomain = DvcDomain\n | extend DeviceName = strcat(DvcHostname, \".\", DvcDomain )\n )\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"tags": [
"Dev-0530",
{
"Schema": "ASIMFileEvent",
"SchemaVersion": "0.1.0"
}
],
"techniques": [
"T1486"
],
"templateVersion": "1.1.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}