Query Details

Ransomware Tool Matrix Defender Lookup

Query

//WORK IN PROGRESS
//This query tries to match up device procs to the ransomware toolbox matrix. Note this query is not perfect due to how the ransomwaretoolbox csv is formatted and tools are displayed.. some work will need to be done. Also bear in mind attackers can rename tools/binaries. Ref https://github.com/BushidoUK/Ransomware-Tool-Matrix/tree/main/Tools
let RansomwareToolMatrix = externaldata (Discovery: string, RMMTools:string, DefenseEvasion:string,CredentialTheft:string,Offsec:string,Networking:string,LOLBAS:string,Exfiltration:string) [@'https://raw.githubusercontent.com/BushidoUK/Ransomware-Tool-Matrix/refs/heads/main/Tools/AllTools.csv'] with (format=csv, ignoreFirstRecord =true);
let DiscoveryTools = RansomwareToolMatrix // split individual columns if required
| project Discovery
| where isnotempty(Discovery);
let RMMTools = RansomwareToolMatrix
| project RMMTools
| where isnotempty(RMMTools);
let DefenseEvasion= RansomwareToolMatrix
| project DefenseEvasion
| where isnotempty(DefenseEvasion);
let CredentialTheft= RansomwareToolMatrix
| project CredentialTheft
| where isnotempty(CredentialTheft);
let Offsec = RansomwareToolMatrix
| project Offsec
| where isnotempty(Offsec);
let Networking = RansomwareToolMatrix
| project Networking
| where isnotempty(Networking);
let LOLBAS = RansomwareToolMatrix
| project LOLBAS
| where isnotempty(LOLBAS);
let Exfiltration = RansomwareToolMatrix
| project Exfiltration
| where isnotempty(Exfiltration);
RansomwareToolMatrix
let DeviceProcs = DeviceProcessEvents
| where TimeGenerated > ago(90d)
| where ProcessCommandLine has_any(DiscoveryTools) or ProcessCommandLine has_any(RMMTools) or ProcessCommandLine has_any(DefenseEvasion) or ProcessCommandLine has_any(CredentialTheft) or ProcessCommandLine has_any(Offsec) or ProcessCommandLine has_any(Networking) or ProcessCommandLine has_any(LOLBAS) or ProcessCommandLine has_any(Exfiltration)
| summarize make_list(DeviceName) by FileName, InitiatingProcessFileName,ProcessVersionInfoCompanyName //, ProcessCommandLine;
DeviceNetworkEvents
| where RemoteUrl has_any(Exfiltration)
| summarize make_list(DeviceName) by RemoteUrl, InitiatingProcessAccountUpn
| union DeviceProcs

Explanation

This query is designed to identify potential ransomware activity on devices by comparing running processes and network events against a known list of ransomware tools. Here's a simplified breakdown:

  1. Data Source: It uses an external CSV file from a GitHub repository that lists various ransomware tools categorized by their functions, such as Discovery, RMM Tools, Defense Evasion, etc.

  2. Categorization: The query separates these tools into different categories (Discovery, RMM Tools, Defense Evasion, etc.) by extracting non-empty entries from each category in the CSV file.

  3. Device Process Monitoring:

    • It examines device process events from the last 90 days.
    • It checks if any process command lines contain tools from any of the categories.
    • If a match is found, it summarizes the data by listing device names associated with each file name, initiating process file name, and company name of the process.
  4. Network Event Monitoring:

    • It looks at device network events to see if any remote URLs match tools in the Exfiltration category.
    • It summarizes this data by listing device names associated with each remote URL and the account that initiated the process.
  5. Combining Results: The results from the device process monitoring and network event monitoring are combined to provide a comprehensive view of potential ransomware activity.

Overall, this query aims to detect suspicious activities that might indicate ransomware operations by matching device processes and network events against a known set of ransomware tools. However, it notes that the query isn't perfect due to potential tool renaming by attackers and the format of the CSV file.

Details

Jay Kerai profile picture

Jay Kerai

Released: December 16, 2024

Tables

RansomwareToolMatrixDeviceProcessEventsDeviceNetworkEvents

Keywords

RansomwareToolMatrixDiscoveryRMMToolsDefenseEvasionCredentialTheftOffsecNetworkingLOLBASExfiltrationDeviceProcessEventsDeviceNetworkEventsDeviceNameFileNameInitiatingProcessFileNameProcessVersionInfoCompanyNameRemoteUrlInitiatingProcessAccountUpn

Operators

externaldataletprojectwhereisnotemptyhas_anysummarizemake_listbyunionformatignoreFirstRecordwithago

Actions

GitHub