Query Details
Defender XDR Medusa Ransomware Detection
Query
// DefenderXDR: Medusa Ransomware Detection // https://www.cisa.gov/sites/default/files/2025-03/aa25-071a-stopransomware-medusa-ransomware.pdf let MedusaDiscovery = dynamic(["21", "22", "23", "80", "115", "443", "1433", "3050", "3128", "3306", "3389"]); DeviceNetworkEvents | where Timestamp > ago(1h) | where ActionType == @"ConnectionAttempt" | where parse_json(AdditionalFields)["direction"] == 'In' | where LocalPort in (MedusaDiscovery) | summarize TargetDevice=dcount(DeviceName), TargetPort=dcount(LocalPort) by RemoteIP | where TargetPort == 11 // Matched all the MedusaDiscovery ports
Explanation
This query is designed to detect potential Medusa ransomware activity by monitoring network connection attempts. Here's a simplified explanation:
-
Time Frame: It looks at network events from the past hour.
-
Action Type: It specifically filters for events where there was an attempt to establish a connection.
-
Direction: It focuses on incoming connections, meaning connections initiated from outside the network towards devices within the network.
-
Ports of Interest: It checks if the connection attempts are targeting specific ports associated with Medusa ransomware activity. These ports are listed in the
MedusaDiscoveryarray and include common service ports like 21 (FTP), 22 (SSH), 80 (HTTP), 443 (HTTPS), and others. -
Summarization: It counts the number of unique devices (
TargetDevice) and unique ports (TargetPort) that each remote IP address is attempting to connect to. -
Final Filter: It only considers cases where a remote IP has attempted to connect to all 11 specified ports, which could indicate a comprehensive scanning or probing activity typical of ransomware reconnaissance.
In essence, the query is looking for signs of a network scan targeting specific ports that could be indicative of Medusa ransomware trying to discover vulnerable devices within the network.
Details
Steven Lim
Released: March 13, 2025
Tables
Keywords
Operators