KQL Search

# ASR Ransomware

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1486 | Data Encrypted for Impact |https://attack.mitre.org/techniques/T1486|

#### Description
Detects when the ASR rule AsrRansomwareBlocked or AsrRansomwareAudited is triggered. MDE uses cliend and cloud heuristics to determine of a file resembles ransomware. This file could for example be the script that is used to encrypt files. No alert is generated by default by Defender For Endpoint. This could be the start of a ransomware attack. Additional information available by Microsoft. 

#### Risk
A actor has gained access to your network and tries to execute ransomware.

#### References
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#use-advanced-protection-against-ransomware

## Defender For Endpoint
```
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType has_any ('AsrRansomwareBlocked', 'AsrRansomwareAudited')
| summarize
		arg_max(Timestamp, *),
		TotalEvents = count(),
		TriggeredFiles = make_set(FileName),
		FileHashes = make_set(SHA1),
		IntiatingProcesses = make_set(InitiatingProcessCommandLine)
		by DeviceName, AccountName
| project
	 Timestamp,
	 DeviceName,
	 AccountDomain,
	 AccountName,
	 TotalEvents,
	 TriggeredFiles,
	 FileHashes,
	 IntiatingProcesses
```
## Sentinel
```
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType has_any ('AsrRansomwareBlocked', 'AsrRansomwareAudited')
| summarize
		arg_max(Timestamp, *),
		TotalEvents = count(),
		TriggeredFiles = make_set(FileName),
		FileHashes = make_set(SHA1),
		IntiatingProcesses = make_set(InitiatingProcessCommandLine)
		by DeviceName, AccountName
| project
	 TimeGenerated,
	 DeviceName,
	 AccountDomain,
	 AccountName,
	 TotalEvents,
	 TriggeredFiles,
	 FileHashes,
	 IntiatingProcesses		 
```