KQL Search

Query Details

Kill Net Ransomware Detection

Query

## Detects KillNets Ransomware note and the file extension that has been used to encrypt files

Source: https://www.virustotal.com/gui/file/db1c8ddcdfea93031a565001366ffa9fdb41a689bddab46aec7611a46bb4dc50/detection

### Defender For Endpoint

```
let killnetRansomNote = "ru.txt";
let killnetRansomExtension = ".killnet";
DeviceFileEvents
| where FileName =~ killnetRansomNote or FileName endswith killnetRansomExtension
| project-reorder Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine
```
### Sentinel
```
let killnetRansomNote = "ru.txt";
let killnetRansomExtension = ".killnet";
DeviceFileEvents
| where FileName =~ killnetRansomNote or FileName endswith killnetRansomExtension
| project-reorder TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine
```

Explanation

The query is searching for events related to the KillNets Ransomware. It looks for files with the name "ru.txt" or files with the extension ".killnet" that have been used to encrypt files. The query then retrieves information about the timestamp, device name, file name, folder path, and the command line of the process that initiated the event.

Details

Bert-Jan Pals

Released: March 8, 2023

Tables

DeviceFileEvents

Keywords

Devices,Intune,User,KQL

Operators

let=orendswithwhereproject-reorder

KQL Search

Kill Net Ransomware Detection

Query

Explanation

Details

Actions