Query Details

Triggers when a know ransomware note is found

Ransomware Note Found

Query

let RansomwareNotes  = externaldata(RansomwareNote: string)[@"https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-notes.txt"] with (format="txt", ignoreFirstRecord=True);
let RansomwareNotesAddition = dynamic(['thisisanadditionalransomwarenote.txt']); // Add your missing / new extensions in this list.
let FalsePostiveWhitelist = dynamic(['whitelist.txt']); // Add the files that trigger a lot of false positives to this whitelist.
let RansomwareNoteRaw = RansomwareNotes
     | extend RansomwareNoteRaw = replace_string(RansomwareNote, "*", '')
     | distinct RansomwareNoteRaw;
DeviceFileEvents
| where (FileName has_any (RansomwareNoteRaw) or FileName has_any (RansomwareNotesAddition)) and not(FileName has_any (FalsePostiveWhitelist))
| project-reorder Timestamp, FileName, FolderPath, DeviceName, InitiatingProcessAccountName

About this query

Triggers when a know ransomware note is found

Query Information

Description

This query triggers when a known ransomware note is found.

Risk

The file might indicate that files are encryped for ransomware.

References

Defender XDR

Sentinel

let RansomwareNotes  = externaldata(RansomwareNote: string)[@"https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-notes.txt"] with (format="txt", ignoreFirstRecord=True);
let RansomwareNotesAddition = dynamic(['.thisisanadditionalransomwarenote']); // Add your missing / new extensions in this list.
let FalsePostiveWhitelist = dynamic(['.xxxxxxxxx']); // Add the files that trigger a lot of false positives to this whitelist.
let RansomwareNoteRaw = RansomwareNotes
     | extend RansomwareNoteRaw = replace_string(RansomwareNote, "*", '')
     | distinct RansomwareNoteRaw;
DeviceFileEvents
| where (FileName has_any (RansomwareNoteRaw) or FileName has_any (RansomwareNotesAddition)) and not(FileName has_any (FalsePostiveWhitelist))
| project-reorder TimeGenerated, FileName, FolderPath, DeviceName, InitiatingProcessAccountName

Explanation

This query is designed to detect the presence of known ransomware notes on a device, which could indicate that files have been encrypted due to a ransomware attack. Here's a simplified breakdown of the query:

  1. Data Source: The query pulls a list of known ransomware note filenames from an external source (a GitHub repository) and stores them in a variable called RansomwareNotes.

  2. Additional Notes: It allows for the addition of any new or missing ransomware note filenames through a list called RansomwareNotesAddition.

  3. False Positives: To reduce false alarms, there's a whitelist (FalsePostiveWhitelist) where filenames that frequently trigger false positives can be added.

  4. Processing: The query processes the list of ransomware notes to remove any wildcard characters and ensures each note is distinct.

  5. Event Filtering: It then checks the DeviceFileEvents table for any file events where the filename matches any of the known ransomware notes or additional notes, while excluding any filenames in the whitelist.

  6. Output: The results are organized to show the timestamp, filename, folder path, device name, and the account name of the process that initiated the file event.

This query helps in identifying potential ransomware attacks by flagging files that match known ransomware note patterns, allowing for further investigation and response.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceFileEvents

Keywords

RansomwareNotesDeviceFileEvents

Operators

letexternaldatawithdynamicextendreplace_stringdistincthas_anynotproject-reorderwhere

Actions

GitHub