KQL Search

Query Details

HomeAI ToolsDevice Query

Ransomware Tool Matrix Defender Lookup

Query

//This query tries to match up device procs to the ransomware toolbox matrix. Note this query is not perfect due to how the ransomwaretoolbox csv is formatted and tools are displayed.. some work will need to be done. Also bear in mind attackers can rename tools/binaries. Ref https://github.com/BushidoUK/Ransomware-Tool-Matrix/tree/main/Tools
let RansomwareToolMatrix = externaldata (Discovery: string, RMMTools:string, DefenseEvasion:string,CredentialTheft:string,Offsec:string,Networking:string,LOLBAS:string,Exfiltration:string) [@'https://raw.githubusercontent.com/BushidoUK/Ransomware-Tool-Matrix/refs/heads/main/Tools/AllTools.csv'] with (format=csv, ignoreFirstRecord =true);
let DiscoveryTools = RansomwareToolMatrix // split individual columns if required
| project Discovery;
let RMMTools = RansomwareToolMatrix
| project RMMTools;
let DefenseEvasion= RansomwareToolMatrix
| project DefenseEvasion;
let CredentialTheft= RansomwareToolMatrix
| project CredentialTheft;
let Offsec = RansomwareToolMatrix
| project Offsec;
let Networking = RansomwareToolMatrix
| project Networking;
let LOLBAS = RansomwareToolMatrix
| project LOLBAS;
let Exfiltration = RansomwareToolMatrix
| project Exfiltration;
DeviceProcessEvents
| where TimeGenerated > ago(90d)
| where ProcessCommandLine has_any(DiscoveryTools) or ProcessCommandLine has_any(RMMTools) or ProcessCommandLine has_any(DefenseEvasion) or ProcessCommandLine has_any(CredentialTheft) or ProcessCommandLine has_any(Offsec) or ProcessCommandLine has_any(Networking) or ProcessCommandLine has_any(LOLBAS) or ProcessCommandLine has_any(Exfiltration)
| summarize make_list(DeviceName) by FileName, InitiatingProcessFileName,ProcessVersionInfoCompanyName //, ProcessCommandLine

Explanation

This query is designed to identify potential ransomware-related activities on devices by comparing running processes against a list of known ransomware tools. Here's a simplified breakdown:

  1. Data Source: It pulls data from an external CSV file that contains a list of tools associated with various ransomware activities. This file is hosted on GitHub and includes categories like Discovery, RMM Tools, Defense Evasion, Credential Theft, Offensive Security (Offsec), Networking, LOLBAS (Living Off the Land Binaries and Scripts), and Exfiltration.

  2. Data Preparation: The query separates the tools into different categories for easier comparison.

  3. Event Filtering: It examines device process events from the last 90 days.

  4. Tool Matching: The query checks if any process command line on the devices matches any tool from the ransomware categories.

  5. Result Summarization: If a match is found, it summarizes the results by listing device names associated with the file name, the initiating process file name, and the company name of the process version.

The query is not perfect due to potential formatting issues in the CSV and the possibility that attackers might rename tools or binaries.

Details

Jay Kerai profile picture

Jay Kerai

Released: December 16, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsRansomwareToolMatrixDiscoveryRMMToolsDefenseEvasionCredentialTheftOffsecNetworkingLOLBASExfiltrationTimeGeneratedProcessCommandLineDeviceNameFileNameInitiatingProcessFileNameProcessVersionInfoCompanyName

Operators

letexternaldatawithformatignoreFirstRecordprojectwherehas_anyorsummarizemake_listby

Actions