Unlock the Ultimate Defense: Top 3 Hunting Queries for Ransomware Protection in Microsoft Sentinel

Share on facebook
Share on twitter
Share on linkedin

🛡️Unlock the Ultimate Defense: Top 3 Hunting Queries for Ransomware Protection in Microsoft Sentinel🛡️

📝Actor has gained access to your network and tries to execute ransomware.

🏹Query:
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType has_any (‘AsrRansomwareBlocked’, ‘AsrRansomwareAudited’)
| summarize
arg_max(Timestamp, *),
TotalEvents = count(),
TriggeredFiles = make_set(FileName),
FileHashes = make_set(SHA1),
IntiatingProcesses = make_set(InitiatingProcessCommandLine)
by DeviceName, AccountName
| project
TimeGenerated,
DeviceName,
AccountDomain,
AccountName,
TotalEvents,
TriggeredFiles,
FileHashes,

📝Detects KillNets Ransomware note and the file extension that has been used to encrypt files.

🏹Query:
let killnetRansomNote = “ru.txt”;
let killnetRansomExtension = “.killnet”;
DeviceFileEvents
| where FileName =~ killnetRansomNote or FileName endswith killnetRansomExtension
| project-reorder TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine

📝Triggers when a known ransomware extension has been found.

🏹Query:
let RansomwareExtensionsInput = externaldata(Extension: string)[@”https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-extension-list.txt“] with (format=”txt”, ignoreFirstRecord=True);
let RansomwareExtensionAddition = dynamic([‘.misingfromabovelist’]); // Add your missing / new extensions in this list.
let RansomwareExtensions = materialize (
RansomwareExtensionsInput
| distinct Extension
| extend RawExtention = substring(Extension, 1,
string_size(Extension))
);
DeviceFileEvents
| where FileName has_any (RansomwareExtensions) or FileName has_any (RansomwareExtensionAddition)
| summarize
arg_max(TimeGenerated, *),
EncryptedFiles = make_set(FileName),
Locations = make_set(FolderPath)
by DeviceName
| extend TotalFileEncrypted = array_length(EncryptedFiles)
| project-reorder
TimeGenerated,
TotalFileEncrypted,
EncryptedFiles,
Locations,
InitiatingProcessAccountName
| sort by TotalFileEncrypted

Ready to become a KQL Champion? 💡

Check out the Must Learn KQL repo, created and maintained by KQL boss, Rod Trent:
📝https://lnkd.in/e2ziN44D
Want to see more queries? Great repo here:
📝https://lnkd.in/eHS59XMM
Security Sentinel Blog:
📝https://lnkd.in/e4UKn6kb

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Posts