From 74a78407e7129a578cc1b9629cdd7e415cfca44b Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Tue, 27 Oct 2020 17:31:45 -0400 Subject: [PATCH 1/9] added reverse-shell-ransomware-macos --- .../reverse-shell-ransomware-macos.md | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 Command and Control/reverse-shell-ransomware-macos.md diff --git a/Command and Control/reverse-shell-ransomware-macos.md b/Command and Control/reverse-shell-ransomware-macos.md new file mode 100644 index 00000000..53a6c131 --- /dev/null +++ b/Command and Control/reverse-shell-ransomware-macos.md @@ -0,0 +1,41 @@ +# Reverse shell associated with ransomware on macOS + +This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*. + +EvilQuest is Mac-based ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. + +The example below can help locate a reverse shell established by an attacker. The command the query searches for is associated with, but not definitely indicative of, EvilQuest infections. + +## Query + +```kusto +union DeviceFileEvents, DeviceProcessEvents +| where Timestamp >= ago(7d) +| where ProcessCommandLine contains "bash -i >& /dev/tcp/" +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | v | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## Contributor info + +**Contributor:** Microsoft Threat Protection tea From aea562ade78b0e9360256ea8f91f9f78298c5a5a Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Thu, 29 Oct 2020 15:00:01 -0400 Subject: [PATCH 2/9] copyedits --- Command and Control/reverse-shell-ransomware-macos.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Command and Control/reverse-shell-ransomware-macos.md b/Command and Control/reverse-shell-ransomware-macos.md index 53a6c131..9b40246c 100644 --- a/Command and Control/reverse-shell-ransomware-macos.md +++ b/Command and Control/reverse-shell-ransomware-macos.md @@ -2,9 +2,9 @@ This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*. -EvilQuest is Mac-based ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. +As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. -The example below can help locate a reverse shell established by an attacker. The command the query searches for is associated with, but not definitely indicative of, EvilQuest infections. +The query below can help locate a reverse shell established by an attacker. The command the query searches for is associated with, but not definitely indicative of, EvilQuest infections. ## Query From 04f72256fc4d14c7a6db84199fdec164b5bc0b59 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Thu, 29 Oct 2020 15:11:52 -0400 Subject: [PATCH 3/9] added python-use-by-ransomware-macos.md, typo fixes --- .../python-use-by-ransomware-macos.md | 45 +++++++++++++++++++ .../reverse-shell-ransomware-macos.md | 6 ++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 Command and Control/python-use-by-ransomware-macos.md diff --git a/Command and Control/python-use-by-ransomware-macos.md b/Command and Control/python-use-by-ransomware-macos.md new file mode 100644 index 00000000..73467264 --- /dev/null +++ b/Command and Control/python-use-by-ransomware-macos.md @@ -0,0 +1,45 @@ +# Python usage associated with ransomware on macOS + +This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*. + +As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. + +The query below can help locate an attempt to run Python in service of malicious activity by a remote operator. The command the query searches for is associated with, but not definitely indicative of, EvilQuest infections. + +Other queries related to EvilQuest ransomware can be found under the [See also](#see-also) section below. + +## Query + +```kusto +union DeviceFileEvents, DeviceProcessEvents +| where Timestamp >= ago(7d) +| where ProcessCommandLine contains "EIKKEIKK" and ProcessCommandLine contains "python" +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | v | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +## Contributor info + +**Contributor:** Microsoft Threat Protection team diff --git a/Command and Control/reverse-shell-ransomware-macos.md b/Command and Control/reverse-shell-ransomware-macos.md index 9b40246c..17deb2fe 100644 --- a/Command and Control/reverse-shell-ransomware-macos.md +++ b/Command and Control/reverse-shell-ransomware-macos.md @@ -6,6 +6,8 @@ As of the time of this writing (October 2020), ransomware designed to target mac The query below can help locate a reverse shell established by an attacker. The command the query searches for is associated with, but not definitely indicative of, EvilQuest infections. +Other queries related to EvilQuest ransomware can be found under the [See also](#see-also) section below. + ## Query ```kusto @@ -36,6 +38,8 @@ This query can be used to detect the following attack techniques and tactics ([s | Misconfiguration | | | | Malware, component | | | +## See also + ## Contributor info -**Contributor:** Microsoft Threat Protection tea +**Contributor:** Microsoft Threat Protection team From 92af1a9d678837d5e0421268929235ad93c225e1 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Thu, 29 Oct 2020 15:30:45 -0400 Subject: [PATCH 4/9] added ransom-note-creation-macos.md --- .../python-use-by-ransomware-macos.md | 2 +- Impact/ransom-note-creation-macos.md | 45 +++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 Impact/ransom-note-creation-macos.md diff --git a/Command and Control/python-use-by-ransomware-macos.md b/Command and Control/python-use-by-ransomware-macos.md index 73467264..c0eb50b7 100644 --- a/Command and Control/python-use-by-ransomware-macos.md +++ b/Command and Control/python-use-by-ransomware-macos.md @@ -31,7 +31,7 @@ This query can be used to detect the following attack techniques and tactics ([s | Discovery | | | | Lateral movement | | | | Collection | | | -| Command and control | | | +| Command and control | v | | | Exfiltration | | | | Impact | | | | Vulnerability | | | diff --git a/Impact/ransom-note-creation-macos.md b/Impact/ransom-note-creation-macos.md new file mode 100644 index 00000000..8f8e9977 --- /dev/null +++ b/Impact/ransom-note-creation-macos.md @@ -0,0 +1,45 @@ +# Python usage associated with ransomware on macOS + +This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*. + +As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. + +The query below can detect the creation of a ransom note according to the typical methods of EvilQuest operators. The command the query searches for is associated with, but not definitely indicative of, EvilQuest infections. + +Other queries related to EvilQuest ransomware can be found under the [See also](#see-also) section below. + +## Query + +```kusto +union DeviceFileEvents, DeviceProcessEvents +| where Timestamp >= ago(7d) +| where ProcessCommandLine contains "say \\\"Your files are encrypted\\\" waiting until completion false" +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | v | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | v | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +## Contributor info + +**Contributor:** Microsoft Threat Protection team From c536d9279309bc0fddfe8601f3c267396701b111 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Thu, 29 Oct 2020 15:49:21 -0400 Subject: [PATCH 5/9] added launch-questd-w-osascript.md --- Execution/launch-questd-w-osascript.md | 46 ++++++++++++++++++++++++++ Impact/ransom-note-creation-macos.md | 4 +-- 2 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 Execution/launch-questd-w-osascript.md diff --git a/Execution/launch-questd-w-osascript.md b/Execution/launch-questd-w-osascript.md new file mode 100644 index 00000000..a2085cff --- /dev/null +++ b/Execution/launch-questd-w-osascript.md @@ -0,0 +1,46 @@ +# Launching questd ransomware using osascript + +This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*. + +As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform. + +The query below can detect events associated with the launch of the EvilQuest executable, *questd*, from the shell. + +Other queries related to EvilQuest ransomware can be found under the [See also](#see-also) section below. + +## Query + +```kusto +union DeviceFileEvents, DeviceProcessEvents +| where Timestamp >= ago(7d) +| where ProcessCommandLine contains "osascript -e do shell script \"launchctl load" and +ProcessCommandLine contains "questd" +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | v | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | v | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +## Contributor info + +**Contributor:** Microsoft Threat Protection team diff --git a/Impact/ransom-note-creation-macos.md b/Impact/ransom-note-creation-macos.md index 8f8e9977..54c07553 100644 --- a/Impact/ransom-note-creation-macos.md +++ b/Impact/ransom-note-creation-macos.md @@ -1,4 +1,4 @@ -# Python usage associated with ransomware on macOS +# Ransom note 'say' alert associated with ransomware on macOS This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*. @@ -23,7 +23,7 @@ This query can be used to detect the following attack techniques and tactics ([s | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | -| Execution | v | | +| Execution | | | | Persistence | | | | Privilege escalation | | | | Defense evasion | | | From 78505b7863902a4924d40dc51d93b2b718a04cbd Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Thu, 29 Oct 2020 15:57:26 -0400 Subject: [PATCH 6/9] added see also links --- Command and Control/python-use-by-ransomware-macos.md | 4 ++++ Command and Control/reverse-shell-ransomware-macos.md | 4 ++++ Execution/launch-questd-w-osascript.md | 4 ++++ Impact/ransom-note-creation-macos.md | 4 ++++ 4 files changed, 16 insertions(+) diff --git a/Command and Control/python-use-by-ransomware-macos.md b/Command and Control/python-use-by-ransomware-macos.md index c0eb50b7..02750d65 100644 --- a/Command and Control/python-use-by-ransomware-macos.md +++ b/Command and Control/python-use-by-ransomware-macos.md @@ -40,6 +40,10 @@ This query can be used to detect the following attack techniques and tactics ([s ## See also +* [Ransom note 'say' alert associated with ransomware on macOS](..\Impact\ransom-note-creation-macos.md) +* [Launching questd ransomware using osascript](..\Execution\launch-questd-w-osascript.md) +* [Reverse shell associated with ransomware on macOS](reverse-shell-ransomware-macos.md) + ## Contributor info **Contributor:** Microsoft Threat Protection team diff --git a/Command and Control/reverse-shell-ransomware-macos.md b/Command and Control/reverse-shell-ransomware-macos.md index 17deb2fe..69882047 100644 --- a/Command and Control/reverse-shell-ransomware-macos.md +++ b/Command and Control/reverse-shell-ransomware-macos.md @@ -40,6 +40,10 @@ This query can be used to detect the following attack techniques and tactics ([s ## See also +* [Ransom note 'say' alert associated with ransomware on macOS](..\Impact\ransom-note-creation-macos.md) +* [Launching questd ransomware using osascript](..\Execution\launch-questd-w-osascript.md) +* [Python usage associated with ransomware on macOS](python-use-by-ransomware-macos.md) + ## Contributor info **Contributor:** Microsoft Threat Protection team diff --git a/Execution/launch-questd-w-osascript.md b/Execution/launch-questd-w-osascript.md index a2085cff..ae3014ce 100644 --- a/Execution/launch-questd-w-osascript.md +++ b/Execution/launch-questd-w-osascript.md @@ -41,6 +41,10 @@ This query can be used to detect the following attack techniques and tactics ([s ## See also +* [Ransom note 'say' alert associated with ransomware on macOS](..\Impact\ransom-note-creation-macos.md) +* [Reverse shell associated with ransomware on macOS](..\Command%20and%20Control\reverse-shell-ransomware-macos.md) +* [Python usage associated with ransomware on macOS](..\Command%20and%20Control\python-use-by-ransomware-macos.md) + ## Contributor info **Contributor:** Microsoft Threat Protection team diff --git a/Impact/ransom-note-creation-macos.md b/Impact/ransom-note-creation-macos.md index 54c07553..c54c12a5 100644 --- a/Impact/ransom-note-creation-macos.md +++ b/Impact/ransom-note-creation-macos.md @@ -40,6 +40,10 @@ This query can be used to detect the following attack techniques and tactics ([s ## See also +* [Launching questd ransomware using osascript](..\Execution\launch-questd-w-osascript.md) +* [Reverse shell associated with ransomware on macOS](..\Command%20and%20Control\reverse-shell-ransomware-macos.md) +* [Python usage associated with ransomware on macOS](..\Command%20and%20Control\python-use-by-ransomware-macos.md) + ## Contributor info **Contributor:** Microsoft Threat Protection team From 43a812bc57df87061b7e6f25b5d0740e2f8e6892 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 4 Nov 2020 15:59:25 -0500 Subject: [PATCH 7/9] Update ransom-note-creation-macos.md --- Impact/ransom-note-creation-macos.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Impact/ransom-note-creation-macos.md b/Impact/ransom-note-creation-macos.md index c54c12a5..f1e9ba61 100644 --- a/Impact/ransom-note-creation-macos.md +++ b/Impact/ransom-note-creation-macos.md @@ -13,7 +13,7 @@ Other queries related to EvilQuest ransomware can be found under the [See also]( ```kusto union DeviceFileEvents, DeviceProcessEvents | where Timestamp >= ago(7d) -| where ProcessCommandLine contains "say \\\"Your files are encrypted\\\" waiting until completion false" +| where ProcessCommandLine has "say \\\"Your files are encrypted\\\" waiting until completion false" ``` ## Category From c00b9ecb6b0a721ebd7a0a3b52700493fc358f4d Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 4 Nov 2020 15:59:56 -0500 Subject: [PATCH 8/9] Update launch-questd-w-osascript.md --- Execution/launch-questd-w-osascript.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Execution/launch-questd-w-osascript.md b/Execution/launch-questd-w-osascript.md index ae3014ce..85f0f75b 100644 --- a/Execution/launch-questd-w-osascript.md +++ b/Execution/launch-questd-w-osascript.md @@ -13,7 +13,7 @@ Other queries related to EvilQuest ransomware can be found under the [See also]( ```kusto union DeviceFileEvents, DeviceProcessEvents | where Timestamp >= ago(7d) -| where ProcessCommandLine contains "osascript -e do shell script \"launchctl load" and +| where ProcessCommandLine has "osascript -e do shell script \"launchctl load" and ProcessCommandLine contains "questd" ``` From 42a29d8999a14c30f9eb6db3dafedd2079073108 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 4 Nov 2020 16:00:21 -0500 Subject: [PATCH 9/9] Update reverse-shell-ransomware-macos.md --- Command and Control/reverse-shell-ransomware-macos.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Command and Control/reverse-shell-ransomware-macos.md b/Command and Control/reverse-shell-ransomware-macos.md index 69882047..bf432ccb 100644 --- a/Command and Control/reverse-shell-ransomware-macos.md +++ b/Command and Control/reverse-shell-ransomware-macos.md @@ -13,7 +13,7 @@ Other queries related to EvilQuest ransomware can be found under the [See also]( ```kusto union DeviceFileEvents, DeviceProcessEvents | where Timestamp >= ago(7d) -| where ProcessCommandLine contains "bash -i >& /dev/tcp/" +| where ProcessCommandLine has "bash -i >& /dev/tcp/" ``` ## Category