Dopplepaymer In-Memory Malware Implant

Hunt Hypothesis

Processes with command line arguments matching known Dopplepaymer ransomware patterns indicate potential in-memory malware implant activity, suggesting an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage ransomware attacks and mitigate data loss risks.

KQL Query

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine startswith "-q -s {{" and ProcessCommandLine contains "}} -p "

Analytic Rule Definition

id: c7927ab6-63c8-41bc-a5d7-fc15826e2b57
name: Dopplepaymer In-Memory Malware Implant
description: |
  Dopplepaymer In-Memory Malware Implant.
  This query identifies processes with command line launch strings.
  Which match the pattern used in Dopplepaymer ransomware attacks.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents
  | where Timestamp > ago(7d)
  | where ProcessCommandLine startswith "-q -s {{" and ProcessCommandLine contains "}} -p "

Required Data Sources

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Dopplepaymer In-Memory Malware Implant.yaml)

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that includes a command line similar to the Dopplepaymer pattern (e.g., cmd.exe /c powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString('http://legit-server.com/patch.ps1')") as part of a routine system update.
  Filter/Exclusion: Exclude processes with Task Scheduler as the parent process or filter by command lines containing known update URLs from internal servers.

• Scenario: Admin Performing Remote PowerShell Execution
  Description: An admin uses PowerShell remoting to execute a script on a remote machine, which includes a command line that matches the Dopplepaymer pattern.
  Filter/Exclusion: Exclude processes where the parent process is winrm or powershell.exe launched with -Command and originating from a known admin IP or domain.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus tool runs a scan that executes a script with a command line resembling the Dopplepaymer pattern (e.g., powershell.exe -Command "Get-ChildItem -Path C:\temp\* | Remove-Item -Force -Recurse").
  Filter/Exclusion: Exclude processes associated with known antivirus or endpoint protection tools (e.g., Microsoft Defender, Bitdefender, Kaspersky) or filter by command lines containing known safe operations.

• Scenario: Database Backup Script Execution
  Description: A database backup script uses cmd.exe and powershell.exe to execute a backup command that includes a command line matching the Dopplepaymer pattern (e.g., `powershell.exe -Command “Backup-SqlDatabase -ServerInstance ‘localhost’ -Database ‘MyDB’ -BackupFile ‘C:\backup\mydb.b