The hypothesis is that an adversary is attempting to encrypt files and trigger Azure Security Center’s ransomware detection mechanisms to evade initial detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential ransomware activity early and prevent data loss.
KQL Query
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType has_any ('AsrRansomwareBlocked', 'AsrRansomwareAudited')
| summarize arg_max(Timestamp, *), TotalEvents = count(), TriggeredFiles = make_set(FileName),FileHashes = make_set(SHA1),
IntiatingProcesses = make_set(InitiatingProcessCommandLine) by DeviceName, AccountName
| project Timestamp, DeviceName, AccountDomain, AccountName, TotalEvents, TriggeredFiles, FileHashes, IntiatingProcesses
id: ff9a1b12-e446-44ff-a576-7f53caa32044
name: ARS Ransomware Event triggered
description: |
This rule detects when the ASR rule AsrRansomwareBlocked or AsrRansomwareAudited is triggered.
No alert is generated by default. This could be the start of a ransomware attack.
Additional information available by Microsoft:
https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#use-advanced-protection-against-ransomware
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
tactics:
- Ransomware
relevantTechniques:
- T1486
query: |
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType has_any ('AsrRansomwareBlocked', 'AsrRansomwareAudited')
| summarize arg_max(Timestamp, *), TotalEvents = count(), TriggeredFiles = make_set(FileName),FileHashes = make_set(SHA1),
IntiatingProcesses = make_set(InitiatingProcessCommandLine) by DeviceName, AccountName
| project Timestamp, DeviceName, AccountDomain, AccountName, TotalEvents, TriggeredFiles, FileHashes, IntiatingProcesses
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountName
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Restore Job
Description: A legitimate scheduled task runs a system restore to recover from a known issue, triggering the ASR ransomware audit rule.
Filter/Exclusion: Exclude tasks associated with System Restore or Windows Backup services. Example filter: process.name != "wbadmin.exe" OR process.name != "msiexec.exe"
Scenario: Admin Performing Disk Cleanup or File Deletion
Description: An administrator manually deletes files or performs disk cleanup, which may be flagged as ransomware activity by the ASR rule.
Filter/Exclusion: Exclude processes initiated by administrators with elevated privileges. Example filter: user.name != "Administrator" OR process.owner != "NT AUTHORITY\SYSTEM"
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool like Windows Defender or third-party antivirus performs a full system scan, which may temporarily lock or quarantine files, triggering the ASR rule.
Filter/Exclusion: Exclude processes related to antivirus tools. Example filter: process.name != "MsMpEng.exe" OR process.name != "Mcshield.exe"
Scenario: User-Initiated File Compression or Archiving
Description: A user compresses or archives files using tools like WinRAR, 7-Zip, or ZIP, which may be misinterpreted as ransomware activity due to file locking.
Filter/Exclusion: Exclude processes associated with archiving tools. Example filter: process.name != "7z.exe" OR process.name != "WinRAR.exe"
Scenario: Database or Backup Job Execution
Description: A database backup job or data migration task runs, temporarily locking files, which may trigger the ASR ransomware audit rule.
Filter/Exclusion: Exclude processes related to backup or database tools. Example filter: `process.name