KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Black Basta Ransomware Campaign RMM Tools Deployment

Query

// Detect Black Basta Ransomware Campaign
// Social Engineering Attack via Teams

// https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/

// Exclude Corporate Sharepoint
let CorporateSharepoint = "xxx.sharepoint.com";
CloudAppEvents
| where Application == @"Microsoft Teams"
| where ActionType == @"MessageSent"
| where AccountId contains "@"
| where parse_json(RawEventData)["CommunicationType"] == 'OneOnOne'
| where isnotempty(parse_json(RawEventData)["MessageURLs"])
| where (parse_json(RawEventData)["MessageURLs"]) contains ".sharepoint.com"
// External Teams Tenant sending a sharepoint link to download RMM tools to evade detections
| where (parse_json(RawEventData)["MessageURLs"]) !contains CorporateSharepoint

Explanation

This query is designed to detect potential social engineering attacks related to the Black Basta ransomware campaign, specifically targeting Microsoft Teams communications. Here's a simplified breakdown of what the query does:

  1. Data Source: It analyzes events from Microsoft Teams, focusing on messages sent within the platform.

  2. Filter Criteria:

    • It looks for messages sent by users with an email address (indicated by the presence of "@" in the AccountId).
    • It specifically targets one-on-one communications.
    • It checks if the message contains URLs.

  3. Suspicious Activity Detection:

    • The query identifies messages that include URLs pointing to SharePoint sites.
    • It excludes URLs that belong to the corporate SharePoint domain (e.g., "xxx.sharepoint.com") to avoid false positives from legitimate internal communications.

  4. Purpose:

    • The goal is to detect external Teams tenants sending SharePoint links that might be used to distribute remote monitoring and management (RMM) tools, which could be part of an attempt to evade security detections and facilitate a ransomware attack.

Overall, the query is designed to flag potentially malicious messages in Teams that could be part of a broader ransomware campaign, while excluding legitimate corporate communications.

Details

Steven Lim profile picture

Steven Lim

Released: December 9, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsMicrosoftTeamsAccountIdRawEventDataCommunicationTypeMessageURLsSharepoint

Operators

let|where==containsparse_jsonisnotempty!contains

Actions