Query Details

Hunt for files that have been used by APTs since 2015

Ransomware APT Notes SHA1IOC

Query

let APTInfo = externaldata(Filename: string, Title: string, Source: string, Link: string, SHA1: string, Date: datetime, Year: int)[@"https://raw.githubusercontent.com/aptnotes/data/master/APTnotes.csv"] 
with (format="csv", ignoreFirstRecord=True);
let SHA1IOC = APTInfo
     | where Year > 2015 //first IOC reported in 2008
     | distinct SHA1;
DeviceFileEvents
| where SHA1 has_any (SHA1IOC)
| project
     Timestamp,
     DeviceName,
     InitiatingProcessAccountName,
     InitiatingProcessAccountDomain,
     FileName,
     FolderPath,
     InitiatingProcessCommandLine,
     SHA1

About this query

Hunt for files that have been used by APTs since 2015

Query Information

Description

This query uses a external csv that contains APT Ransomware note hashes. This list is used to search your environment for hash based matches on those ransomware notes.

Risk

An Threat Actor is deploying ransomware in your environment.

Defender XDR

Sentinel

let APTInfo = externaldata(Filename: string, Title: string, Source: string, Link: string, SHA1: string, Date: datetime, Year: int)[@"https://raw.githubusercontent.com/aptnotes/data/master/APTnotes.csv"] 
with (format="csv", ignoreFirstRecord=True);
let SHA1IOC = APTInfo
     | where Year > 2015 //first IOC reported in 2008
     | distinct SHA1;
DeviceFileEvents
| where SHA1 has_any (SHA1IOC)
| project
     TimeGenerated,
     DeviceName,
     InitiatingProcessAccountName,
     InitiatingProcessAccountDomain,
     FileName,
     FolderPath,
     InitiatingProcessCommandLine,
     SHA1

Explanation

This query is designed to help identify files in your environment that may be associated with Advanced Persistent Threats (APTs) using ransomware since 2015. Here's a simple breakdown of what the query does:

  1. Data Source: It uses an external CSV file that contains information about ransomware notes used by APTs. This file includes details like the filename, title, source, link, SHA1 hash, date, and year of the ransomware notes.

  2. Filter for Recent Threats: The query filters this data to only include ransomware notes reported after 2015. This is done to focus on more recent threats.

  3. Identify Matches: It then checks your environment's file events to see if any files have SHA1 hashes that match those in the filtered list from the CSV.

  4. Output Information: If matches are found, the query outputs details such as the timestamp of the event, the device name, the account name and domain that initiated the process, the filename, the folder path, the command line used to initiate the process, and the SHA1 hash of the file.

The query is run in both Defender XDR and Sentinel environments, with slight differences in the output field names (e.g., Timestamp vs. TimeGenerated), but the core functionality remains the same. This helps in detecting potential ransomware activity linked to known APTs in your network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceFileEvents

Keywords

APTRansomwareDeviceFileEventsTimestampNameInitiatingProcessAccountDomainFolderPathCommandLineSHA1

Operators

letexternaldatawithwheredistincthas_anyproject

Actions

GitHub