Adversaries using Hive Ransomware may leverage malware that triggers Microsoft Defender AV detections, indicating potential ransomware activity on endpoints. SOC teams should proactively hunt for these AV detections in Azure Sentinel to identify and mitigate Hive ransomware campaigns before significant data loss occurs.
KQL Query
let Hive_threats = dynamic(["Ransom:Win64/Hive", "Ransom:Win32/Hive"]);
DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join kind=inner ( SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
) on $left.DeviceName == $right.CompromisedEntity
| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
| project-away DomainIndex
id: 4e5914a4-2ccd-429d-a845-fa597f0bd8c5
name: AV detections related to Hive Ransomware
description: |
'This query looks for Microsoft Defender AV detections related to Hive Ransomware.
In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.'
severity: High
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T1486
tags:
- HiveRansomware
query: |
let Hive_threats = dynamic(["Ransom:Win64/Hive", "Ransom:Win32/Hive"]);
DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join kind=inner ( SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
) on $left.DeviceName == $right.CompromisedEntity
| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
| project-away DomainIndex
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: CompromisedEntity
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: PublicIP
version: 1.0.5
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Others" ]| Sentinel Table | Notes |
|---|---|
SecurityAlert | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using Veeam
Description: A backup job using Veeam may trigger AV detections due to the encryption of backup files during the process.
Filter/Exclusion: Exclude processes related to veeam.exe or any known backup tools, using the ProcessName field.
Scenario: System update using Windows Update or Microsoft Endpoint Manager (MEM)
Description: Windows Update or MEM may trigger AV alerts when deploying patches or security updates that include encrypted payloads.
Filter/Exclusion: Exclude processes related to wuauclt.exe, msiexec.exe, or any known Microsoft update tools, using the ProcessName field.
Scenario: Admin task using PowerShell to manage encryption keys
Description: An admin may use PowerShell scripts to manage encryption keys or perform cryptographic operations, which could be flagged by AV.
Filter/Exclusion: Exclude PowerShell scripts or processes with powershell.exe that are known to be part of key management tasks, using the ProcessName and CommandLine fields.
Scenario: Legitimate use of BitLocker encryption tool
Description: BitLocker encryption or decryption operations may be flagged by AV due to the presence of cryptographic operations.
Filter/Exclusion: Exclude processes related to manage-bde.exe or any BitLocker-related tools, using the ProcessName field.
Scenario: Antivirus false positive during a security scan
Description: A security scan using tools like Kaspersky, Bitdefender, or Malwarebytes may trigger AV alerts when scanning for known malicious patterns.
Filter/Exclusion: Exclude processes related to known antivirus tools (e.g., kavsvc.exe, mbam.exe, bitdefender.exe) using the ProcessName field.