Query Details
Ransomware APT Notes SHA1IOC
Query
# Hunt for files that have been used by APTs since 2015
----
### Defender For Endpoint
```
let APTInfo = externaldata(Filename: string, Title: string, Source: string, Link: string, SHA1: string, Date: datetime, Year: int)[@"https://raw.githubusercontent.com/aptnotes/data/master/APTnotes.csv"]
with (format="csv", ignoreFirstRecord=True);
let SHA1IOC = APTInfo
| where Year > 2015 //first IOC reported in 2008
| distinct SHA1;
DeviceFileEvents
| where SHA1 has_any (SHA1IOC)
| project
Timestamp,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessAccountDomain,
FileName,
FolderPath,
InitiatingProcessCommandLine,
SHA1
```
### Sentinel
```
let APTInfo = externaldata(Filename: string, Title: string, Source: string, Link: string, SHA1: string, Date: datetime, Year: int)[@"https://raw.githubusercontent.com/aptnotes/data/master/APTnotes.csv"]
with (format="csv", ignoreFirstRecord=True);
let SHA1IOC = APTInfo
| where Year > 2015 //first IOC reported in 2008
| distinct SHA1;
DeviceFileEvents
| where SHA1 has_any (SHA1IOC)
| project
TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessAccountDomain,
FileName,
FolderPath,
InitiatingProcessCommandLine,
SHA1
```Explanation
The query is searching for files that have been used by Advanced Persistent Threats (APTs) since 2015. It retrieves a list of APT information from an external source, filters it to include only APTs reported after 2015, and extracts the SHA1 values. Then, it searches for file events on devices that have any of these SHA1 values and projects specific information about the events, such as the timestamp, device name, initiating process account, file name, and SHA1 value.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
DeviceFileEvents
Keywords
Keywords:Hunt,Files,APTs,DefenderForEndpoint,Sentinel,DeviceFileEvents,SHA1,Timestamp,DeviceName,InitiatingProcessAccountName,InitiatingProcessAccountDomain,FileName,FolderPath,InitiatingProcessCommandLine,TimeGenerated
Operators
wheredistincthas_anyprojectexternaldatawithformatignoreFirstRecordlet