Ransomware Behaviour Kill SQL Processes
Behaviour Kill SQL Processes
Query
let TotalKilledThreshold = 10;
let TotalParametersThreshold = 10;
DeviceProcessEvents
| where FileName == "taskkill.exe"
| extend CommandLineParameters = split(ProcessCommandLine, " ")
| extend TotalParameters = array_length(CommandLineParameters)
// Extract allSQL related processes in the CommandLineParameters
| mv-apply KilledProcess = CommandLineParameters on (
where KilledProcess contains "sql"
| project KilledProcess
)
| summarize arg_max(Timestamp, *), AllKilledProcess = make_set(KilledProcess) by ReportId
| extend TotalKilledProcesses = array_length(AllKilledProcess)
| project-reorder Timestamp, ProcessCommandLine, TotalParameters, TotalKilledProcesses
| where TotalKilledProcesses >= TotalKilledThreshold and TotalParameters >= TotalParametersThresholdAbout this query
Explanation
This query is designed to detect suspicious activity related to ransomware attacks, specifically focusing on the behavior of stopping SQL-related processes. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify when a command is used to terminate multiple SQL-related processes on a system. This behavior is often associated with ransomware attacks, where attackers stop these processes to facilitate their malicious activities.
-
Technique: It relates to the MITRE ATT&CK technique T1489, which involves stopping or disabling services to disrupt normal operations.
-
How it Works:
- The query looks for instances where the
taskkill.execommand is executed. - It analyzes the command line used with
taskkill.exeto identify SQL-related processes being targeted. - The query checks how many different SQL processes are being killed and how many parameters are used in the command line.
- It uses two thresholds:
TotalKilledThresholdandTotalParametersThreshold, both set to 10 in this example. These thresholds help determine if the activity is suspicious by requiring a minimum number of processes and parameters to be involved.
- The query looks for instances where the
-
Output: The query returns events where the number of SQL processes killed and the number of parameters used meet or exceed the specified thresholds, indicating potentially malicious activity.
-
Risk: This activity is risky because it suggests an adversary is preparing to deploy ransomware by disabling critical SQL services, which can disrupt operations and aid in the attack.
In summary, this query helps detect potential ransomware attacks by identifying when multiple SQL processes are being terminated, which is a common tactic used by attackers to disable defenses and facilitate data encryption.
