-
Notifications
You must be signed in to change notification settings - Fork 0
/
Possible Ransomware Related Destruction Activity
28 lines (27 loc) · 2.09 KB
/
Possible Ransomware Related Destruction Activity
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# AzureSentinel-
Analytic Rules
// # Possible Ransomware Related Destruction Activity
//
// This query identifies common processes run by ransomware
// malware to destroy volume shadow copies or clean free
// space on a drive to prevent a file from being recovered
// post-encryption. To reduce false positives, results are
// filtered to only actions taken when the initiating
// process was launched from a suspicious directory. If
// you don't mind false positives, consider removing the
// last where clause.
//
// Special thanks to Captain for additional inputs
//
// This query was updated on 2021-05-19 from https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Execution/Possible%20Ransomware%20Related%20Destruction%20Activity.md
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName =~ 'vssadmin.exe' and ProcessCommandLine has "delete shadows" and ProcessCommandLine has "/all" and ProcessCommandLine has "/quiet") // Clearing shadow copies
or (FileName =~ 'cipher.exe' and ProcessCommandLine contains "/w") // Wiping drive free space
or (FileName =~ 'schtasks.exe' and ProcessCommandLine has "/change" and ProcessCommandLine has @"\Microsoft\Windows\SystemRestore\SR" and ProcessCommandLine has "/disable") // Disabling system restore task
or (FileName =~ 'fsutil.exe' and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal" and ProcessCommandLine has "/d") // Deleting USN journal
or (FileName =~ 'icacls.exe' and ProcessCommandLine has @'"C:\*"' and ProcessCommandLine contains '/grant Everyone:F') // Attempts to re-ACL all files on the C drive to give everyone full control
or (FileName =~ 'powershell.exe' and (
ProcessCommandLine matches regex @'\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s+' and replace(@'\x00', '', base64_decode_tostring(extract("[A-Za-z0-9+/]{50,}[=]{0,2}", 0, ProcessCommandLine))) matches regex @".*(Win32_Shadowcopy).*(.Delete\(\)).*"
) or ProcessCommandLine matches regex @".*(Win32_Shadowcopy).*(.Delete\(\)).*"
) // This query looks for PowerShell-based commands used to delete shadow copies