Ransomware Extension Found

# Triggers when a known ransomware extension has been found ---- ### Defender For Endpoint ``` let RansomwareExtensionsInput = externaldata(Extension: string)[@"https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-extension-list.txt"] with (format="txt", ignoreFirstRecord=True); let RansomwareExtensionAddition = dynamic(['.misingfromabovelist']); // Add your missing / new extensions in this list. let RansomwareExtensions = materialize ( RansomwareExtensionsInput | distinct Extension | extend RawExtention = substring(Extension, 1, string_size(Extension)) ); DeviceFileEvents | where FileName has_any (RansomwareExtensions) or FileName has_any (RansomwareExtensionAddition) | summarize arg_max(Timestamp, *), EncryptedFiles = make_set(FileName), Locations = make_set(FolderPath) by DeviceName | extend TotalFileEncrypted = array_length(EncryptedFiles) | project-reorder Timestamp, TotalFileEncrypted, EncryptedFiles, Locations, InitiatingProcessAccountName | sort by TotalFileEncrypted ``` ### Sentinel ``` let RansomwareExtensionsInput = externaldata(Extension: string)[@"https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-extension-list.txt"] with (format="txt", ignoreFirstRecord=True); let RansomwareExtensionAddition = dynamic(['.misingfromabovelist']); // Add your missing / new extensions in this list. let RansomwareExtensions = materialize ( RansomwareExtensionsInput | distinct Extension | extend RawExtention = substring(Extension, 1, string_size(Extension)) ); DeviceFileEvents | where FileName has_any (RansomwareExtensions) or FileName has_any (RansomwareExtensionAddition) | summarize arg_max(TimeGenerated, *), EncryptedFiles = make_set(FileName), Locations = make_set(FolderPath) by DeviceName | extend TotalFileEncrypted = array_length(EncryptedFiles) | project-reorder TimeGenerated, TotalFileEncrypted, EncryptedFiles, Locations, InitiatingProcessAccountName | sort by TotalFileEncrypted ```

Explanation

The query is designed to trigger an alert when a known ransomware extension is found. It retrieves a list of ransomware extensions from a GitHub repository and adds any missing or new extensions to the list. It then searches for file events on devices where the file name matches any of the ransomware extensions or the additional extensions. The query summarizes the results by device, including the timestamp, total number of encrypted files, the encrypted file names, the file locations, and the initiating process account name. The results are sorted by the total number of encrypted files. The query is written for both Microsoft Defender for Endpoint and Azure Sentinel.

Details

Bert-Jan Pals

Released: March 8, 2023

Tables

DeviceFileEvents

Keywords

Keywords:Triggers,ransomware,extension,DefenderForEndpoint,Sentinel,let,externaldata,format,ignoreFirstRecord,dynamic,materialize,DeviceFileEvents,where,FileName,summarize,arg_max,Timestamp,EncryptedFiles,Locations,DeviceName,TotalFileEncrypted,project-reorder,sort,TimeGenerated,InitiatingProcessAccountName.

Operators

externaldatawithformatignoreFirstRecorddynamicletmaterializedistinctextendsubstringstring_sizeDeviceFileEventswherehas_anysummarizearg_maxmake_setbyextendarray_lengthproject-reordersort

KQL Search