Query Details

All BlackCat/ALPHV Ransomware IOCs with one KQL query

IOC Black Cat Ransomware

Query

let MD5_IOCs = dynamic(['861738dd15eb7fb50568f0e39a69e107', '9f60dd752e7692a2f5c758de4eab3e6f', '09bc47d7bc5e40d40d9729cec5e39d73', 
'f5ef5142f044b94ac5010fd883c09aa7', '84e3b5fe3863d25bb72e25b10760e861', '9f2309285e8a8471fce7330fcade8619', '6c6c46bdac6713c94debbd454d34efd9', 
'e7ee8ea6fb7530d1d904cdb2d9745899', '815bb1b0c5f0f35f064c55a1b640fca5', '6c2874169fdfb30846fe7ffe34635bdb', '20855475d20d252dda21287264a6d860', 
'82db4c04f5dcda3bfcd75357adf98228', 'fcf3a6eeb9f836315954dae03459716d', '91625f7f5d590534949ebe08cc728380']);
let SHA1_IOCs = dynamic (['d241df7b9d2ec0b8194751cd5ce153e27cc40fa4', '4831c1b113df21360ef68c450b5fca278d08fae2', 
'fce13da5592e9e120777d82d27e06ed2b44918cf', '3f85f03d33b9fe25bcfac611182da4ab7f06a442', '37178dfaccbc371a04133d26a55127cf4d4382f8', 
'1b2a30776df64fbd7299bd588e21573891dcecbe']);
let SHA256_IOCs = dynamic(['731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161', 
'f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb', 
'731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161', 
'80dd44226f60ba5403745ba9d18490eb8ca12dbc9be0a317dd2b692ec041da28']);
let IP_IOCs = dynamic (['89.44.9.243', '142.234.157.246', '45.134.20.66', '185.220.102.253',
     '37.120.238.58', '152.89.247.207', '198.144.121.93', '89.163.252.230',
     '45.153.160.140', '23.106.223.97', '139.60.161.161', '146.0.77.15',
     '94.232.41.155']);
(union isfuzzy=true
     (DeviceNetworkEvents
     | where RemoteIP in (IP_IOCs)),
     (DeviceFileEvents
     | where MD5 in (MD5_IOCs)),
     (DeviceFileEvents
     | where SHA1 in (SHA1_IOCs)),
     (DeviceFileEvents
     | where SHA256 in (SHA256_IOCs))
)

About this query

Explanation

This query is designed to detect indicators of compromise (IOCs) associated with the BlackCat/ALPHV ransomware. It checks for specific malicious activities in a network by looking for known malicious file hashes and IP addresses. Here's a simple breakdown:

  1. Indicators of Compromise (IOCs): The query uses lists of known malicious MD5, SHA1, and SHA256 file hashes, as well as IP addresses, which are associated with the BlackCat/ALPHV ransomware.

  2. Data Sources: It searches through two main types of data:

    • DeviceNetworkEvents: This checks network activity for any connections to the listed malicious IP addresses.
    • DeviceFileEvents: This checks file activity for any files that match the listed malicious hashes (MD5, SHA1, SHA256).
  3. Union of Results: The query combines results from both data sources to provide a comprehensive view of any potential ransomware activity detected in the network.

  4. Purpose: The goal is to identify and alert on any network or file activity that matches the known IOCs of the BlackCat/ALPHV ransomware, helping security teams to respond quickly to potential threats.

This query is applicable in both Defender XDR and Sentinel environments, allowing for consistent threat detection across different security platforms.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEventsDeviceFileEvents

Keywords

DeviceNetworkEventsFileRemoteIPMD5SHA1SHA256

Operators

letdynamicunionisfuzzyinwhere

MITRE Techniques

Actions

GitHub