kqlHunting

ASR Ransomware

Detects when the ASR rule AsrRansomwareBlocked or AsrRansomwareAudited is triggered. MDE uses cliend and cloud heuristics to determine of a file resembles ransomware. This file could for example be the script that is used to encrypt files. No alert is generated by default by Defender For Endpoint. This could be the start of a ransomware attack. Additional information available by Microsoft.

MITRE ATT&CK

T1486

impact

Detection Query

DeviceEvents
| where ingestion_time() > ago(30d)
| where ActionType in ('AsrRansomwareBlocked', 'AsrRansomwareAudited')
| summarize arg_max(Timestamp, *), TotalEvents = count(), TriggeredFiles = make_set(FileName), FileHashes = make_set(SHA1), IntiatingProcesses = make_set(InitiatingProcessCommandLine) by DeviceName, AccountName
| project Timestamp, DeviceName, AccountDomain, AccountName, TotalEvents, TriggeredFiles, FileHashes, IntiatingProcesses

Data Sources

DeviceEvents

Platforms

windowsazure-sentinelmicrosoft-defender

References

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#use-advanced-protection-against-ransomware

Tags

defender-for-endpointransomware

Raw Content

# ASR Ransomware

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1486 | Data Encrypted for Impact |https://attack.mitre.org/techniques/T1486|

#### Description
Detects when the ASR rule AsrRansomwareBlocked or AsrRansomwareAudited is triggered. MDE uses cliend and cloud heuristics to determine of a file resembles ransomware. This file could for example be the script that is used to encrypt files. No alert is generated by default by Defender For Endpoint. This could be the start of a ransomware attack. Additional information available by Microsoft. 

#### Risk
A actor has gained access to your network and tries to execute ransomware.

#### References
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#use-advanced-protection-against-ransomware

## Defender XDR
```KQL
DeviceEvents
| where ingestion_time() > ago(30d)
| where ActionType in ('AsrRansomwareBlocked', 'AsrRansomwareAudited')
| summarize arg_max(Timestamp, *), TotalEvents = count(), TriggeredFiles = make_set(FileName), FileHashes = make_set(SHA1), IntiatingProcesses = make_set(InitiatingProcessCommandLine) by DeviceName, AccountName
| project Timestamp, DeviceName, AccountDomain, AccountName, TotalEvents, TriggeredFiles, FileHashes, IntiatingProcesses
```
## Sentinel
```KQL
DeviceEvents
| where ingestion_time() > ago(30d)
| where ActionType in ('AsrRansomwareBlocked', 'AsrRansomwareAudited')
| summarize arg_max(Timestamp, *), TotalEvents = count(), TriggeredFiles = make_set(FileName), FileHashes = make_set(SHA1), IntiatingProcesses = make_set(InitiatingProcessCommandLine) by DeviceName, AccountName
| project Timestamp, DeviceName, AccountDomain, AccountName, TotalEvents, TriggeredFiles, FileHashes, IntiatingProcesses 
```