Merge pull request #231 from martyav/ransomware-healthcare-misc

added misc pages related to ransomware techniques
2020-11-11 13:28:21 +02:00 · 2020-11-11 13:28:21 +02:00 · bed1cfd3d8
--- a/evasion/alt-data-streams.md
+++ b/evasion/alt-data-streams.md
@ -0,0 +1,56 @@
+# Detect use of Alternate Data Streams
+
+This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
+
+In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.
+
+The following query detects suspicious use of [Alternate Data Streams](https://docs.microsoft.com/sysinternals/downloads/streams) (ADS), which may indicate an attempt to mask malicious activity. These campaigns have been known to deploy ransomware in-memory and exploit ADS.
+
+The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns.
+
+## Query
+
+```Kusto
+// Alternate Data Streams execution 
+DeviceProcessEvents 
+| where Timestamp > ago(7d) 
+// Command lines used 
+| where ProcessCommandLine startswith "-q -s" and ProcessCommandLine hasprefix "-p" 
+// Removing IDE processes 
+and not(FolderPath has_any("visual studio", "ide")) 
+| summarize make_set(ProcessCommandLine), make_set(FolderPath), 
+make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 1h)
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion | v |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+[Return backup files deletion events](../Impact/backup-deletion.md)
+[Detect attempts to turn off System Restore](./turn-off-system-restore.md)
+[Detect cipher.exe deleting data](./deleting-data-w-cipher-tool.md)
+[Detect clearing of system logs](./clear-system-logs.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
--- a/evasion/clear-system-logs.md
+++ b/evasion/clear-system-logs.md
@ -0,0 +1,51 @@
+# Detect clearing of system logs
+
+This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
+
+In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.
+
+The following query detects attempts to use *fsutil.exe* to clear system logs and delete forensic artifacts.
+
+The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns.
+
+## Query
+
+```Kusto
+DeviceProcessEvents
+| where Timestamp > ago(7d)
+| where FileName =~ "fsutil.exe"
+and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal"
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion | v |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+[Return backup files deletion events](../Impact/backup-deletion.md)
+[Detect use of Alternate Data Streams](./alt-data-streams.md)
+[Detect attempts to turn off System Restore](./turn-off-system-restore.md)
+[Detect cipher.exe deleting data](./deleting-data-w-cipher-tool.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
--- a/evasion/deleting-data-w-cipher-tool.md
+++ b/evasion/deleting-data-w-cipher-tool.md
@ -0,0 +1,56 @@
+# Detect cipher.exe deleting data
+
+This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
+
+In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.
+
+The following query detects the use of the tool *cipher.exe* to delete indicators of malicious activity right before encrypting a drive.
+
+The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns.
+
+## Query
+
+```Kusto
+DeviceProcessEvents 
+| where Timestamp > ago(7d)  
+| where FileName =~ "cipher.exe"  
+// Looking for /w flag for deleting  
+| where ProcessCommandLine has "/w"  
+| summarize CommandCount = dcount(ProcessCommandLine), 
+make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m)  
+// Looking for multiple drives in a short timeframe  
+| where CommandCount > 1
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion | v |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+[Return backup files deletion events](../Impact/backup-deletion.md)
+[Detect use of Alternate Data Streams](./alt-data-streams.md)
+[Detect attempts to turn off System Restore](./turn-off-system-restore.md)
+[Detect clearing of system logs](./clear-system-logs.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
--- a/Impact/backup-deletion.md
+++ b/Impact/backup-deletion.md
@ -0,0 +1,50 @@
+# Return backup files deletion events
+
+This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
+
+In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.
+
+The following query returns alerts raised when backup files were deleted.
+
+The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns.
+
+## Query
+
+```Kusto
+AlertInfo
+| where Timestamp > ago(7d) 
+| where Title == "File backups were deleted" 
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion | v |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact | v |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+[Detect use of Alternate Data Streams](../Defense%20evasion/alt-data-streams.md)
+[Detect attempts to turn off System Restore](../Defense%20evasion/turn-off-system-restore.md)
+[Detect cipher.exe deleting data](../Defense%20evasion/deleting-data-w-cipher-tool.md)
+[Detect clearing of system logs](../Defense%20evasion/clear-system-logs.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
--- a/Impact/turn-off-system-restore.md
+++ b/Impact/turn-off-system-restore.md
@ -0,0 +1,58 @@
+# Detect attempts to turn off System Restore
+
+This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
+
+In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.
+
+The following query detects attempts to stop System Restore, which would prevent the user from recovering data by going back to a restore point.
+
+The [See also](#see=also) section below lists more queries related to techniques shared by these campaigns.
+
+## Query
+
+```Kusto
+DeviceProcessEvents  
+| where Timestamp > ago(7d)  
+//Pivoting for rundll32  
+and InitiatingProcessFileName =~ 'rundll32.exe'   
+//Looking for empty command line   
+and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != ""  
+//Looking for schtasks.exe as the created process  
+and FileName in~ ('schtasks.exe')  
+//Disabling system restore   
+and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore' 
+and ProcessCommandLine has 'disable'
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion | v |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact | v |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+[Return backup files deletion events](./backup-deletion.md)
+[Detect use of Alternate Data Streams](../Defense%20evasion/alt-data-streams.md)
+[Detect cipher.exe deleting data](../Defense%20evasion/deleting-data-w-cipher-tool.md)
+[Detect clearing of system logs](../Defense%20evasion/clear-system-logs.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team