From 19cd6a93149a0eef071cf8388bbb018b3b1d5c19 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 9 Sep 2020 12:41:30 -0400 Subject: [PATCH 1/5] ryuk related pages --- Campaigns/cobalt-strike-invoked-w-wmi.md | 63 ++++++++++++++++++ Credential Access/lazagne.md | 56 ++++++++++++++++ .../remote-file-creation-with-psexec.md | 65 +++++++++++++++++++ 3 files changed, 184 insertions(+) create mode 100644 Campaigns/cobalt-strike-invoked-w-wmi.md create mode 100644 Credential Access/lazagne.md create mode 100644 Lateral Movement/remote-file-creation-with-psexec.md diff --git a/Campaigns/cobalt-strike-invoked-w-wmi.md b/Campaigns/cobalt-strike-invoked-w-wmi.md new file mode 100644 index 00000000..1089c07f --- /dev/null +++ b/Campaigns/cobalt-strike-invoked-w-wmi.md @@ -0,0 +1,63 @@ +# Detect Cobalt Strike invoked via WMI + +This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/). + +[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Muck like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. + +During the earliest stages of a Ryuk infection, an operator downloads [Cobalt Strike](https://www.cobaltstrike.com/), a penetration testing kit that is also used by malicious actors. Cobalt Strike is used by Ryuk operators to explore the network before deploying the Ryuk payload. This malicious behavior is often obscured by Base64 encoding and other tricks. + +The following query detects possible invocation of Cobalt Strike using [Windows Management Instrumentation](https://docs.microsoft.com/windows/win32/wmisdk/wmi-start-page) (WMI). + +The [See also](#See-also) section below lists links to other queries associated with Ryuk ransomware. + +## Query + +```Kusto +// Find use of Base64 encoded PowerShell +// Indicating possible Cobalt Strike +DeviceProcessEvents +| where Timestamp > ago(7d) +// Only WMI-initiated instances, remove to broaden scope +| where InitiatingProcessFileName =~ 'wmiprvse.exe' +| where FileName =~ 'powershell.exe' + and (ProcessCommandLine hasprefix '-e' or + ProcessCommandLine contains 'frombase64') +// Check for Base64 with regex +| where ProcessCommandLine matches regex '[A-Za-z0-9+/]{50,}[=]{0,2}' +// Exclusions: The above regex may trigger false positive on legitimate SCCM activities. +// Remove this exclusion to search more broadly. +| where ProcessCommandLine !has 'Windows\\CCM\\' +| project DeviceId, Timestamp, InitiatingProcessId, +InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | v | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | v | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +* [Detect PsExec being used to spread files](./Lateral%20Movement/remote-file-creation-with-psexec.md) +* [Detect credential theft via SAM database export by LaZagne](./Credential%20Access/lazagne.md) + +## Contributor info + +**Contributor:** Microsoft Threat Protection team diff --git a/Credential Access/lazagne.md b/Credential Access/lazagne.md new file mode 100644 index 00000000..bfc87a7f --- /dev/null +++ b/Credential Access/lazagne.md @@ -0,0 +1,56 @@ +# Detect credential theft via SAM database export by LaZagne + +This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/). + +[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Muck like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. + +During a typical Ryuk campaign, an operator will use [LaZagne](https://github.com/AlessandroZ/LaZagne), a credential theft tool, to access stored passwords for service accounts. The accounts are then used to jump from desktop clients to servers or domain controllers, allowing for better reconnaissance, faster movement, and a more severe impact on the target. + +The following query detects credential theft by LaZagne. + +The [See also](#See-also) section below lists links to other queries associated with Ryuk ransomware. + +## Query + +```Kusto +// Find credential theft via SAM database export by LaZagne +DeviceProcessEvents +| where Timestamp > ago(7d) +| where FileName =~ 'reg.exe' + and ProcessCommandLine has 'save' + and ProcessCommandLine has 'hklm' + and ProcessCommandLine has 'sam' +| project DeviceId, Timestamp, InitiatingProcessId, +InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | | | +| Credential Access | v | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +* [Detect PsExec being used to spread files](./Lateral%20Movement/remote-file-creation-with-psexec.md) +* [Detect Cobalt Strike invoked via WMI](./Campaigns/cobalt-strike-invoked-w-wmi.md) + +## Contributor info + +**Contributor:** Microsoft Threat Protection team diff --git a/Lateral Movement/remote-file-creation-with-psexec.md b/Lateral Movement/remote-file-creation-with-psexec.md new file mode 100644 index 00000000..2a794f63 --- /dev/null +++ b/Lateral Movement/remote-file-creation-with-psexec.md @@ -0,0 +1,65 @@ +# Detect PsExec being used to spread files + +This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/). + +[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Muck like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. + +Ryuk operators use [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) to manually spread the ransomware to other devices. + +The following query detects remote file creation events that might indicate an active attack. + +The [See also](#See-also) section below lists links to other queries associated with Ryuk ransomware. + +## Query + +```Kusto +// Find PsExec creating multiple files on remote machines in a 10-minute window +DeviceFileEvents +| where Timestamp > ago(7d) +// Looking for PsExec by accepteula command flag +| where InitiatingProcessCommandLine has "accepteula" +// Remote machines and file is exe +| where FolderPath has "\\\\" and FileName endswith ".exe" +| extend Exe = countof(InitiatingProcessCommandLine, ".exe") +// Checking to see if command line has 2 .exe or .bat +| where InitiatingProcessCommandLine !has ".ps1" and Exe > 1 or +InitiatingProcessCommandLine has ".bat" +// Exclusions: Remove the following line to widen scope of AHQ +| where not(InitiatingProcessCommandLine has_any("batch", "auditpol", +"script", "scripts", "illusive", "rebootrequired")) +| summarize FileCount = dcount(FolderPath), make_set(SHA1), make_set(FolderPath), +make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, +TimeWindow=bin(Timestamp, 10m), InitiatingProcessFileName +| where FileCount > 4 +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | v | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +* [Detect credential theft via SAM database export by LaZagne](./Credential%20Access/lazagne.md) +* [Detect Cobalt Strike invoked via WMI](./Campaigns/cobalt-strike-invoked-w-wmi.md) + +## Contributor info + +**Contributor:** Microsoft Threat Protection team From dab69deffcac2c45d91f3d46e9c9ce6e1b020a42 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 9 Sep 2020 17:23:32 -0400 Subject: [PATCH 2/5] fixed file paths --- Campaigns/cobalt-strike-invoked-w-wmi.md | 4 ++-- Credential Access/lazagne.md | 4 ++-- Lateral Movement/remote-file-creation-with-psexec.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Campaigns/cobalt-strike-invoked-w-wmi.md b/Campaigns/cobalt-strike-invoked-w-wmi.md index 1089c07f..443228ad 100644 --- a/Campaigns/cobalt-strike-invoked-w-wmi.md +++ b/Campaigns/cobalt-strike-invoked-w-wmi.md @@ -55,8 +55,8 @@ This query can be used to detect the following attack techniques and tactics ([s ## See also -* [Detect PsExec being used to spread files](./Lateral%20Movement/remote-file-creation-with-psexec.md) -* [Detect credential theft via SAM database export by LaZagne](./Credential%20Access/lazagne.md) +* [Detect PsExec being used to spread files](../Lateral%20Movement/remote-file-creation-with-psexec.md) +* [Detect credential theft via SAM database export by LaZagne](../Credential%20Access/lazagne.md) ## Contributor info diff --git a/Credential Access/lazagne.md b/Credential Access/lazagne.md index bfc87a7f..2c1f1434 100644 --- a/Credential Access/lazagne.md +++ b/Credential Access/lazagne.md @@ -48,8 +48,8 @@ This query can be used to detect the following attack techniques and tactics ([s ## See also -* [Detect PsExec being used to spread files](./Lateral%20Movement/remote-file-creation-with-psexec.md) -* [Detect Cobalt Strike invoked via WMI](./Campaigns/cobalt-strike-invoked-w-wmi.md) +* [Detect PsExec being used to spread files](../Lateral%20Movement/remote-file-creation-with-psexec.md) +* [Detect Cobalt Strike invoked via WMI](../Campaigns/cobalt-strike-invoked-w-wmi.md) ## Contributor info diff --git a/Lateral Movement/remote-file-creation-with-psexec.md b/Lateral Movement/remote-file-creation-with-psexec.md index 2a794f63..5cc4c6f5 100644 --- a/Lateral Movement/remote-file-creation-with-psexec.md +++ b/Lateral Movement/remote-file-creation-with-psexec.md @@ -57,8 +57,8 @@ This query can be used to detect the following attack techniques and tactics ([s ## See also -* [Detect credential theft via SAM database export by LaZagne](./Credential%20Access/lazagne.md) -* [Detect Cobalt Strike invoked via WMI](./Campaigns/cobalt-strike-invoked-w-wmi.md) +* [Detect credential theft via SAM database export by LaZagne](../Credential%20Access/lazagne.md) +* [Detect Cobalt Strike invoked via WMI](../Campaigns/cobalt-strike-invoked-w-wmi.md) ## Contributor info From 07fdef2353370677043066bd81a7c0dc9a129761 Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Wed, 9 Sep 2020 17:33:48 -0700 Subject: [PATCH 3/5] Update cobalt-strike-invoked-w-wmi.md --- Campaigns/cobalt-strike-invoked-w-wmi.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Campaigns/cobalt-strike-invoked-w-wmi.md b/Campaigns/cobalt-strike-invoked-w-wmi.md index 443228ad..6a91ba1e 100644 --- a/Campaigns/cobalt-strike-invoked-w-wmi.md +++ b/Campaigns/cobalt-strike-invoked-w-wmi.md @@ -2,7 +2,7 @@ This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/). -[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Muck like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. +[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Much like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. During the earliest stages of a Ryuk infection, an operator downloads [Cobalt Strike](https://www.cobaltstrike.com/), a penetration testing kit that is also used by malicious actors. Cobalt Strike is used by Ryuk operators to explore the network before deploying the Ryuk payload. This malicious behavior is often obscured by Base64 encoding and other tricks. From cc7b7b85970875b51d6a2104e128c73076512f12 Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Wed, 9 Sep 2020 17:34:28 -0700 Subject: [PATCH 4/5] Update lazagne.md --- Credential Access/lazagne.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Credential Access/lazagne.md b/Credential Access/lazagne.md index 2c1f1434..56cb6842 100644 --- a/Credential Access/lazagne.md +++ b/Credential Access/lazagne.md @@ -2,7 +2,7 @@ This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/). -[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Muck like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. +[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Much like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. During a typical Ryuk campaign, an operator will use [LaZagne](https://github.com/AlessandroZ/LaZagne), a credential theft tool, to access stored passwords for service accounts. The accounts are then used to jump from desktop clients to servers or domain controllers, allowing for better reconnaissance, faster movement, and a more severe impact on the target. From 2cf58270c37e7cd90fd5d71494ebe6c7b3d700d5 Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Wed, 9 Sep 2020 17:34:42 -0700 Subject: [PATCH 5/5] Update remote-file-creation-with-psexec.md --- Lateral Movement/remote-file-creation-with-psexec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lateral Movement/remote-file-creation-with-psexec.md b/Lateral Movement/remote-file-creation-with-psexec.md index 5cc4c6f5..dde875ed 100644 --- a/Lateral Movement/remote-file-creation-with-psexec.md +++ b/Lateral Movement/remote-file-creation-with-psexec.md @@ -2,7 +2,7 @@ This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/). -[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Muck like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. +[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Much like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. Ryuk operators use [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) to manually spread the ransomware to other devices.