Query Details

Ransomware Behaviour Kill SQL Processes

Behaviour Kill SQL Processes

Query

let TotalKilledThreshold = 10;
let TotalParametersThreshold = 10;
DeviceProcessEvents
| where FileName == "taskkill.exe"
| extend CommandLineParameters = split(ProcessCommandLine, " ")
| extend TotalParameters = array_length(CommandLineParameters)
// Extract allSQL related processes in the CommandLineParameters
| mv-apply KilledProcess = CommandLineParameters on (
    where KilledProcess contains "sql"
    | project KilledProcess
)
| summarize arg_max(Timestamp, *), AllKilledProcess = make_set(KilledProcess) by ReportId
| extend TotalKilledProcesses = array_length(AllKilledProcess)
| project-reorder Timestamp, ProcessCommandLine, TotalParameters, TotalKilledProcesses
| where TotalKilledProcesses >= TotalKilledThreshold and TotalParameters >= TotalParametersThreshold

About this query

Explanation

This query is designed to detect suspicious activity related to ransomware attacks, specifically focusing on the behavior of stopping SQL-related processes. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify when a command is used to terminate multiple SQL-related processes on a system. This behavior is often associated with ransomware attacks, where attackers stop these processes to facilitate their malicious activities.

  2. Technique: It relates to the MITRE ATT&CK technique T1489, which involves stopping or disabling services to disrupt normal operations.

  3. How it Works:

    • The query looks for instances where the taskkill.exe command is executed.
    • It analyzes the command line used with taskkill.exe to identify SQL-related processes being targeted.
    • The query checks how many different SQL processes are being killed and how many parameters are used in the command line.
    • It uses two thresholds: TotalKilledThreshold and TotalParametersThreshold, both set to 10 in this example. These thresholds help determine if the activity is suspicious by requiring a minimum number of processes and parameters to be involved.
  4. Output: The query returns events where the number of SQL processes killed and the number of parameters used meet or exceed the specified thresholds, indicating potentially malicious activity.

  5. Risk: This activity is risky because it suggests an adversary is preparing to deploy ransomware by disabling critical SQL services, which can disrupt operations and aid in the attack.

In summary, this query helps detect potential ransomware attacks by identifying when multiple SQL processes are being terminated, which is a common tactic used by attackers to disable defenses and facilitate data encryption.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsCommandLineParametersSQLProcessesReportIDTimeGenerated

Operators

letsplitarray_lengthmv-applycontainsprojectsummarizearg_maxmake_setextendproject-reorderwhere

MITRE Techniques

Actions

GitHub