The doppelpaymer-psexec rule detects potential lateral movement using PsExec, a common technique employed by DoppelPaymer ransomware to move laterally within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage ransomware activity before encryption impacts critical systems.
KQL Query
// PsExec creating files on remote machines
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName startswith "psexe"
| summarize CommandCount = dcount(ProcessCommandLine), makeset(ProcessCommandLine),
makeset(FileName) by DeviceId, bin(Timestamp, 1d)
| where CommandCount > 2
| where set_ProcessCommandLine has "copy"
id: 82ab54b5-6387-4d84-b04f-165115272fae
name: doppelpaymer-psexec
description: |
This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.
DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization. More specifically, they use common remote execution tools, such as PsExec, to move laterally and distribute ransomware.
The following query detects suspicious usage of PsExec to create files on a remote device.
The See also section below lists links to other queries associated with DoppelPaymer.
References:
https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/
https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372
https://docs.microsoft.com/sysinternals/downloads/psexec
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Lateral movement
query: |
// PsExec creating files on remote machines
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName startswith "psexe"
| summarize CommandCount = dcount(ProcessCommandLine), makeset(ProcessCommandLine),
makeset(FileName) by DeviceId, bin(Timestamp, 1d)
| where CommandCount > 2
| where set_ProcessCommandLine has "copy"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate use of PsExec for remote administration
Description: An administrator uses PsExec to run a script or service on a remote machine as part of routine maintenance.
Filter/Exclusion: process.parent_process_name:"Windows Task Scheduler" OR process.name:"schtasks.exe"
Scenario: Scheduled job execution using PsExec
Description: A scheduled job configured via schtasks.exe uses PsExec to execute a legitimate maintenance script.
Filter/Exclusion: process.name:"schtasks.exe" OR process.parent_process_name:"schtasks.exe"
Scenario: Software deployment using PsExec
Description: IT staff deploys software updates or patches using PsExec across multiple machines in the environment.
Filter/Exclusion: process.name:"msiexec.exe" OR process.name:"setup.exe" OR process.parent_process_name:"Windows Task Scheduler"
Scenario: Remote PowerShell execution via PsExec
Description: An administrator uses PsExec to run a PowerShell script on a remote system for configuration management.
Filter/Exclusion: process.name:"powershell.exe" OR process.parent_process_name:"PsExec.exe"
Scenario: System backup using PsExec
Description: A backup tool uses PsExec to execute a backup script on remote servers during off-peak hours.
Filter/Exclusion: process.name:"backup.exe" OR process.parent_process_name:"Windows Task Scheduler"