Hunt for files that have been used by APTs since 2015
Ransomware APT Notes SHA1IOC
Query
let APTInfo = externaldata(Filename: string, Title: string, Source: string, Link: string, SHA1: string, Date: datetime, Year: int)[@"https://raw.githubusercontent.com/aptnotes/data/master/APTnotes.csv"]
with (format="csv", ignoreFirstRecord=True);
let SHA1IOC = APTInfo
| where Year > 2015 //first IOC reported in 2008
| distinct SHA1;
DeviceFileEvents
| where SHA1 has_any (SHA1IOC)
| project
Timestamp,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessAccountDomain,
FileName,
FolderPath,
InitiatingProcessCommandLine,
SHA1About this query
Hunt for files that have been used by APTs since 2015
Query Information
Description
This query uses a external csv that contains APT Ransomware note hashes. This list is used to search your environment for hash based matches on those ransomware notes.
Risk
An Threat Actor is deploying ransomware in your environment.
Defender XDR
Sentinel
let APTInfo = externaldata(Filename: string, Title: string, Source: string, Link: string, SHA1: string, Date: datetime, Year: int)[@"https://raw.githubusercontent.com/aptnotes/data/master/APTnotes.csv"]
with (format="csv", ignoreFirstRecord=True);
let SHA1IOC = APTInfo
| where Year > 2015 //first IOC reported in 2008
| distinct SHA1;
DeviceFileEvents
| where SHA1 has_any (SHA1IOC)
| project
TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessAccountDomain,
FileName,
FolderPath,
InitiatingProcessCommandLine,
SHA1
Explanation
This query is designed to help identify files in your environment that may be associated with Advanced Persistent Threats (APTs) using ransomware since 2015. Here's a simple breakdown of what the query does:
-
Data Source: It uses an external CSV file that contains information about ransomware notes used by APTs. This file includes details like the filename, title, source, link, SHA1 hash, date, and year of the ransomware notes.
-
Filter for Recent Threats: The query filters this data to only include ransomware notes reported after 2015. This is done to focus on more recent threats.
-
Identify Matches: It then checks your environment's file events to see if any files have SHA1 hashes that match those in the filtered list from the CSV.
-
Output Information: If matches are found, the query outputs details such as the timestamp of the event, the device name, the account name and domain that initiated the process, the filename, the folder path, the command line used to initiate the process, and the SHA1 hash of the file.
The query is run in both Defender XDR and Sentinel environments, with slight differences in the output field names (e.g., Timestamp vs. TimeGenerated), but the core functionality remains the same. This helps in detecting potential ransomware activity linked to known APTs in your network.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators