Query Details
Remote Admin Certs
Query
name: Exfiltration, Ransomware Remote Admin Tools
description: Detects existence of common ransomware tools used by threat groups
references:
tags: Exfiltration
search_query: (
let certificates =
DeviceFileCertificateInfo
| where Signer has_any ('Ammyy','Atera Networks', 'Barracuda Networks', 'CONTINUUM MANAGED', 'ScreenConnect', 'DameWare Development', 'Datto Inc', 'Kaseya', 'Level Software, Inc','MSPBytes', 'N-Able Technologies', 'netsupport', 'ninjarmm',
'Bravura Software LLC', 'Panorama9', 'pcvisit software ag', 'MMSoft Design', 'famatech', 'idrive', 'Remote Utilities', 'Krämer IT Solutions GmbH', 'Splashtop', 'Nanosystems S.R.L.', 'Servably, Inc.', 'AmidaWare', 'Duc Fabulous')
| distinct SHA1
;
DeviceProcessEvents
| where SHA1 in~ (certificates) )
on_hit: alert
Explanation
This query is designed to detect the presence of common ransomware tools used by threat groups. Here's a simplified breakdown:
-
Purpose: The query aims to identify if any known ransomware tools are present on devices by checking for specific digital certificates associated with these tools.
-
Certificates List: It first creates a list of digital certificates from known ransomware tools. These certificates are associated with companies like Ammyy, Atera Networks, Barracuda Networks, and others.
-
SHA1 Hashes: It extracts the SHA1 hashes of these certificates to uniquely identify them.
-
Process Events: It then checks the device's process events to see if any processes are running that match the SHA1 hashes from the list of known ransomware tools.
-
Alert: If a match is found, it triggers an alert indicating the potential presence of ransomware tools.
In essence, the query is looking for processes on devices that are signed with certificates from known ransomware-related companies and raises an alert if any are found.
Details
Ali Hussein
Released: December 25, 2023
Tables
Keywords
Operators