Dev-0530 actors are likely encrypting files and renaming them with the .h0lyenc extension to hide malicious activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to ransomware campaigns early.
KQL Query
union isfuzzy=true
(DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".h0lyenc" or FolderPath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,
DeviceName,
Type,
InitiatingProcessId,
FileName,
FolderPath,
EventType = ActionType,
Commandline = InitiatingProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessSHA256,
FileHashCustomEntity = SHA256,
AlgorithmCustomEntity = "SHA256"
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
),
(imFileEvent
| where EventType == "FileCreated"
| where TargetFilePath endswith ".h0lyenc" or TargetFilePath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
ActorUsername,
DvcHostname,
DvcDomain,
DvcId,
Type,
EventType,
FileHashCustomEntity = TargetFileSHA256,
Hash,
TargetFilePath,
Commandline = ActingProcessCommandLine,
AlgorithmCustomEntity = "SHA256"
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = DvcHostname, HostNameDomain = DvcDomain
| extend DeviceName = strcat(DvcHostname, ".", DvcDomain )
)
id: d82eb796-d1eb-43c8-a813-325ce3417cef
name: Dev-0530 File Extension Rename
description: |
'Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.'
severity: High
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T1486
tags:
- Dev-0530
- Schema: ASIMFileEvent
SchemaVersion: 0.1.0
query: |
union isfuzzy=true
(DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".h0lyenc" or FolderPath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,
DeviceName,
Type,
InitiatingProcessId,
FileName,
FolderPath,
EventType = ActionType,
Commandline = InitiatingProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessSHA256,
FileHashCustomEntity = SHA256,
AlgorithmCustomEntity = "SHA256"
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
),
(imFileEvent
| where EventType == "FileCreated"
| where TargetFilePath endswith ".h0lyenc" or TargetFilePath == "C:\\FOR_DECRYPT.html"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)
by
ActorUsername,
DvcHostname,
DvcDomain,
DvcId,
Type,
EventType,
FileHashCustomEntity = TargetFileSHA256,
Hash,
TargetFilePath,
Commandline = ActingProcessCommandLine,
AlgorithmCustomEntity = "SHA256"
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = DvcHostname, HostNameDomain = DvcDomain
| extend DeviceName = strcat(DvcHostname, ".", DvcDomain )
)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUserName
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountDomain
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: AlgorithmCustomEntity
- identifier: Value| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
imFileEvent | Ensure this data connector is enabled |
Scenario: Scheduled Backup Job Renames Files
Description: A scheduled backup job uses a script or tool like rsync or robocopy to rename files during a backup process, temporarily adding .h0lyenc as part of a naming convention.
Filter/Exclusion: Exclude files created by known backup tools or processes, e.g., ProcessName = "rsync" or ProcessName = "robocopy".
Scenario: Admin Task for File Archiving
Description: An administrator uses a script or tool like PowerShell or Python to archive files by renaming them with a .h0lyenc suffix as part of a file organization task.
Filter/Exclusion: Exclude files modified by administrative tasks or scripts with known user agents, e.g., User-Agent = "PowerShell" or User-Agent = "Python".
Scenario: Temporary File Creation by Application
Description: A legitimate application, such as a database tool like MySQL or MongoDB, creates temporary files with .h0lyenc as part of its internal operations.
Filter/Exclusion: Exclude files created by known applications or services, e.g., ProcessName = "mysqld" or ProcessName = "mongod".
Scenario: File Extension Change for Compatibility
Description: A developer manually or via a script changes file extensions (e.g., .txt to .h0lyenc) to test compatibility with another system or tool.
Filter/Exclusion: Exclude files modified by user-initiated scripts or manual changes, e.g., User-Agent = "cmd.exe" or User-Agent = "PowerShell.exe".
Scenario: File System Maintenance Tool
Description: A file system maintenance tool like chkdsk or