Query Details

Triggers when a known ransomware extension has been found

Ransomware Extension Found

Query

let RansomwareExtensionsInput  = externaldata(Extension: string)[@"https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-extension-list.txt"] with (format="txt", ignoreFirstRecord=True);
let RansomwareExtensionAddition = dynamic(['.misingfromabovelist']); // Add your missing / new extensions in this list.
let RansomwareExtensions = materialize (
     RansomwareExtensionsInput
     | distinct Extension
     | extend RawExtention = substring(Extension, 1, 
string_size(Extension))
     );
DeviceFileEvents
| where FileName has_any (RansomwareExtensions) or FileName has_any (RansomwareExtensionAddition)
| summarize
     arg_max(Timestamp, *),
     EncryptedFiles = make_set(FileName),
     Locations = make_set(FolderPath)
     by DeviceName
| extend TotalFileEncrypted = array_length(EncryptedFiles)
| project-reorder
     Timestamp,
     TotalFileEncrypted,
     EncryptedFiles,
     Locations,
     InitiatingProcessAccountName
| sort by TotalFileEncrypted

About this query

Explanation

This query is designed to detect potential ransomware activity by identifying files with known ransomware extensions. Here's a simplified explanation:

  1. Purpose: The query aims to trigger an alert when a file with a known ransomware extension is detected. This could indicate that files have been encrypted as part of a ransomware attack.

  2. Data Source: It uses a list of known ransomware file extensions from an external source (a GitHub repository) and allows for additional extensions to be manually added.

  3. Process:

    • It retrieves the list of known ransomware extensions.
    • It checks for any files in the system that have these extensions.
    • If such files are found, it collects information about them, including the file names and their locations.
  4. Output:

    • The query summarizes the findings by device, showing the most recent event, the total number of encrypted files, the names of these files, and their locations.
    • It also includes the account name of the process that initiated the file changes.
    • The results are sorted by the number of encrypted files, highlighting devices with the most potential ransomware activity.
  5. Risk: The presence of these files could indicate that a ransomware attack has occurred, encrypting files to demand a ransom.

This query is implemented in both Microsoft Defender XDR and Sentinel environments, with slight variations in the timestamp field used (Timestamp for Defender XDR and TimeGenerated for Sentinel).

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEventsEncryptedFilesLocationsInitiatingProcessAccountName

Operators

letexternaldatawithdynamicmaterializedistinctextendsubstringstring_sizewherehas_anyorsummarizearg_maxmake_setbyarray_lengthproject-reordersort by

MITRE Techniques

Actions

GitHub