microsoft · lomayor · Sep 10, 2020 · Sep 9, 2020 · Sep 9, 2020 · Sep 10, 2020
diff --git a/Campaigns/cobalt-strike-invoked-w-wmi.md b/Campaigns/cobalt-strike-invoked-w-wmi.md
@@ -0,0 +1,63 @@
+# Detect Cobalt Strike invoked via WMI
+
+This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/).
+
+[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Much like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot.
+
+During the earliest stages of a Ryuk infection, an operator downloads [Cobalt Strike](https://www.cobaltstrike.com/), a penetration testing kit that is also used by malicious actors. Cobalt Strike is used by Ryuk operators to explore the network before deploying the Ryuk payload. This malicious behavior is often obscured by Base64 encoding and other tricks.
+
+The following query detects possible invocation of Cobalt Strike using [Windows Management Instrumentation](https://docs.microsoft.com/windows/win32/wmisdk/wmi-start-page) (WMI).
+
+The [See also](#See-also) section below lists links to other queries associated with Ryuk ransomware.
+
+## Query
+
+```Kusto
+// Find use of Base64 encoded PowerShell
+// Indicating possible Cobalt Strike 
+DeviceProcessEvents
+| where Timestamp > ago(7d)
+// Only WMI-initiated instances, remove to broaden scope
+| where InitiatingProcessFileName =~ 'wmiprvse.exe'
+| where FileName =~ 'powershell.exe'
+ and (ProcessCommandLine hasprefix '-e' or 
+ ProcessCommandLine contains 'frombase64')
+// Check for Base64 with regex
+| where ProcessCommandLine matches regex '[A-Za-z0-9+/]{50,}[=]{0,2}'
+// Exclusions: The above regex may trigger false positive on legitimate SCCM activities. 
+// Remove this exclusion to search more broadly.
+| where ProcessCommandLine !has 'Windows\\CCM\\'
+| project DeviceId, Timestamp, InitiatingProcessId, 
+InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution | v |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion | v |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Detect PsExec being used to spread files](../Lateral%20Movement/remote-file-creation-with-psexec.md)
+* [Detect credential theft via SAM database export by LaZagne](../Credential%20Access/lazagne.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
diff --git a/Credential Access/lazagne.md b/Credential Access/lazagne.md
@@ -0,0 +1,56 @@
+# Detect credential theft via SAM database export by LaZagne
+
+This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/).
+
+[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Much like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot.
+
+During a typical Ryuk campaign, an operator will use [LaZagne](https://github.com/AlessandroZ/LaZagne), a credential theft tool, to access stored passwords for service accounts. The accounts are then used to jump from desktop clients to servers or domain controllers, allowing for better reconnaissance, faster movement, and a more severe impact on the target.
+
+The following query detects credential theft by LaZagne.
+
+The [See also](#See-also) section below lists links to other queries associated with Ryuk ransomware.
+
+## Query
+
+```Kusto
+// Find credential theft via SAM database export by LaZagne
+DeviceProcessEvents
+| where Timestamp > ago(7d)
+| where FileName =~ 'reg.exe'
+    and ProcessCommandLine has 'save'
+    and ProcessCommandLine has 'hklm'
+    and ProcessCommandLine has 'sam'
+| project DeviceId, Timestamp, InitiatingProcessId, 
+InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access | v |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Detect PsExec being used to spread files](../Lateral%20Movement/remote-file-creation-with-psexec.md)
+* [Detect Cobalt Strike invoked via WMI](../Campaigns/cobalt-strike-invoked-w-wmi.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
diff --git a/Lateral Movement/remote-file-creation-with-psexec.md b/Lateral Movement/remote-file-creation-with-psexec.md
@@ -0,0 +1,65 @@
+# Detect PsExec being used to spread files
+
+This query was originally published in the threat analytics report, *Ryuk ransomware*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/).
+
+[Ryuk](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689) is human-operated ransomware. Much like [DoppelPaymer](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot.
+
+Ryuk operators use [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) to manually spread the ransomware to other devices.
+
+The following query detects remote file creation events that might indicate an active attack.
+
+The [See also](#See-also) section below lists links to other queries associated with Ryuk ransomware.
+
+## Query
+
+```Kusto
+// Find PsExec creating multiple files on remote machines in a 10-minute window
+DeviceFileEvents
+| where Timestamp > ago(7d)
+// Looking for PsExec by accepteula command flag
+| where InitiatingProcessCommandLine has "accepteula"
+// Remote machines and file is exe
+| where FolderPath has "\\\\" and FileName endswith ".exe"
+| extend Exe = countof(InitiatingProcessCommandLine, ".exe")
+// Checking to see if command line has 2 .exe or .bat
+| where InitiatingProcessCommandLine !has ".ps1" and Exe > 1 or 
+InitiatingProcessCommandLine has ".bat"
+// Exclusions: Remove the following line to widen scope of AHQ
+| where not(InitiatingProcessCommandLine has_any("batch", "auditpol", 
+"script", "scripts", "illusive", "rebootrequired"))
+| summarize FileCount = dcount(FolderPath), make_set(SHA1), make_set(FolderPath), 
+make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, 
+TimeWindow=bin(Timestamp, 10m), InitiatingProcessFileName
+| where FileCount > 4
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement | v |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Detect credential theft via SAM database export by LaZagne](../Credential%20Access/lazagne.md)
+* [Detect Cobalt Strike invoked via WMI](../Campaigns/cobalt-strike-invoked-w-wmi.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team