RULE 10 M365 One Drive Ransomware Like Behavior

// Rule : M365 - OneDrive Ransomware-Like File Replacement Pattern // Severity: Critical // Tactics : Impact // MITRE : T1486 (Data Encrypted for Impact) // Freq : PT30M Period: PT30M // Description: Detects ransomware-like behavior in OneDrive where a user deletes // or overwrites a large number of unique files within a short time window. // Correlates FileDeleted + FileModified or upload of files with suspicious // extensions (.locked, .encrypt, .cry, etc.) //========================================================================================== let RansomExtensions = dynamic([ ".locked", ".encrypt", ".crypted", ".crypt", ".cry", ".wnry", ".wncry", ".wcry", ".ecc", ".ezz", ".exx", ".axx", ".abc", ".xyz", ".locky", ".crypz", ".zepto" ]); let MassDeleteThreshold = 50; // files deleted/replaced in 30 min let LookbackPeriod = 30m; OfficeActivity | where TimeGenerated > ago(LookbackPeriod) | where RecordType == "OneDrive" | where Operation in ("FileDeleted", "FileModified", "FileUploaded", "FileVersionsAllDeleted") | extend FileExt = tostring(extract(@"(\.[a-zA-Z0-9]+)$", 1, SourceFileName)) | extend IsSuspiciousExt = FileExt in~ (RansomExtensions) | summarize TotalOps = count(), DeletedCount = countif(Operation == "FileDeleted"), VersionsDeleted = countif(Operation == "FileVersionsAllDeleted"), UploadedCount = countif(Operation == "FileUploaded"), SuspiciousExtCount = countif(IsSuspiciousExt), UniqueFiles = dcount(SourceFileName), FileSample = make_set(SourceFileName, 15), ClientIPs = make_set(ClientIP, 5) by UserId | where DeletedCount >= MassDeleteThreshold or VersionsDeleted >= 10 or SuspiciousExtCount >= 5 | extend AlertSeverity = case( SuspiciousExtCount >= 5 or VersionsDeleted >= 10, "Critical", DeletedCount >= 200, "High", "Medium") | project TimeGenerated = now(), UserId, DeletedCount, VersionsDeleted, UploadedCount, SuspiciousExtCount, UniqueFiles, FileSample, ClientIPs, AlertSeverity

Explanation

This query is designed to detect potential ransomware activity in OneDrive by monitoring for suspicious file operations. Here's a simplified breakdown:

Purpose: The query aims to identify ransomware-like behavior where a user deletes or modifies a large number of files in a short period, particularly focusing on files with extensions commonly associated with ransomware.
Key Components:
- RansomExtensions: A list of file extensions that are typically used by ransomware (e.g., .locked, .encrypt).
- MassDeleteThreshold: A threshold set at 50 files, indicating the minimum number of deletions or modifications within 30 minutes that could trigger an alert.
- LookbackPeriod: The time window of 30 minutes during which file operations are monitored.
Process:
- The query examines OneDrive activities within the last 30 minutes.
- It filters for operations like file deletion, modification, upload, and deletion of all file versions.
- It checks if the file extensions match those in the RansomExtensions list to flag suspicious files.
- It summarizes the data by user, counting the total operations, deletions, uploads, and suspicious file extensions.
Alert Conditions:
- An alert is triggered if:
  - 50 or more files are deleted.
  - 10 or more file versions are deleted.
  - 5 or more files with suspicious extensions are involved.
- The severity of the alert is determined based on the number of suspicious activities:
  - "Critical" if there are many suspicious extensions or version deletions.
  - "High" if there are 200 or more deletions.
  - "Medium" otherwise.
Output:
- The query outputs the current time, user ID, counts of various operations, a sample of file names, client IPs, and the alert severity level.

In essence, this query helps in early detection of ransomware attacks by identifying unusual patterns of file operations in OneDrive that resemble ransomware behavior.

KQL Search

RULE 10 M365 One Drive Ransomware Like Behavior

Query

Explanation

Details

Actions