KQL Search

Query Details

HomeAI ToolsDevice Query

Ransomware Note Found

Query

# Triggers when a know ransomware note is found
----
### Defender For Endpoint

```
let RansomwareNotes  = externaldata(RansomwareNote: string)[@"https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-notes.txt"] with (format="txt", ignoreFirstRecord=True);
let RansomwareNotesAddition = dynamic(['thisisanadditionalransomwarenote.txt']); // Add your missing / new extensions in this list.
let FalsePostiveWhitelist = dynamic(['whitelist.txt']); // Add the files that trigger a lot of false positives to this whitelist.
let RansomwareNoteRaw = materialize (
     RansomwareNotes
     | extend RansomwareNoteRaw = replace_string(RansomwareNote, "*", '')
     | distinct RansomwareNoteRaw
     );
DeviceFileEvents
| where (FileName has_any (RansomwareNoteRaw) or FileName has_any (RansomwareNotesAddition)) and not(FileName has_any (FalsePostiveWhitelist))
| project-reorder Timestamp, FileName, FolderPath, DeviceName, InitiatingProcessAccountName

```
### Sentinel
```
let RansomwareNotes  = externaldata(RansomwareNote: string)[@"https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-notes.txt"] with (format="txt", ignoreFirstRecord=True);
let RansomwareNotesAddition = dynamic(['.thisisanadditionalransomwarenote']); // Add your missing / new extensions in this list.
let FalsePostiveWhitelist = dynamic(['.xxxxxxxxx']); // Add the files that trigger a lot of false positives to this whitelist.
let RansomwareNoteRaw = materialize (
     RansomwareNotes
     | extend RansomwareNoteRaw = replace_string(RansomwareNote, "*", '')
     | distinct RansomwareNoteRaw
     );
DeviceFileEvents
| where (FileName has_any (RansomwareNoteRaw) or FileName has_any (RansomwareNotesAddition)) and not(FileName has_any (FalsePostiveWhitelist))
| project-reorder TimeGenerated, FileName, FolderPath, DeviceName, InitiatingProcessAccountName
```

Explanation

The query triggers an alert when a known ransomware note is found. It uses a list of ransomware notes from a GitHub repository and checks if any file names in the DeviceFileEvents table match those notes. It also includes additional ransomware notes and a whitelist to filter out false positives. The query then projects specific columns from the matched events.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: March 8, 2023

Tables

DeviceFileEvents

Keywords

Devices,Intune,User

Operators

externaldatawithformatignoreFirstRecorddynamicletreplace_stringdistinctwherehas_anynotproject-reorder

Actions