Imminent Ransomware | SOC Hunt Feed

Hunt Hypothesis

The Imminent Ransomware hypothesis detects an adversary disabling security and recovery tools to prepare for a ransomware attack, indicating a high likelihood of a pending exfiltration or encryption event. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ransomware threats before they execute, protecting critical systems and data.

KQL Query

DeviceProcessEvents 
// Pivot on specific commands 
| where ProcessCommandLine has_any("-ExclusionPath", "Set-MpPreference", "advfirewall", "-ExclusionExtension", 
"-EnableControlledFolderAccess", "windefend", "onstart", "bcdedit", "Startup") 
// Making list of found commands 
| summarize ProcessCommandLine = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 6h) 
// Extending columns for later aggregration, based on TTP 
| extend StartUpExclusionPath = iff(ProcessCommandLine has_all("-ExclusionPath", "Startup"), 1, 0) 
| extend DefenderTamp = iff(ProcessCommandLine has "Set-MpPreference" 
and ProcessCommandLine has_any( 
"-SevereThreatDefaultAction 6" 
"-HighThreatDefaultAction 6", 
"-ModerateThreatDefaultAction 6", 
"-LowThreatDefaultAction 6" 
"-ScanScheduleDay 8"), 1, 0) 
| extend NetshFirewallTampering = iff(ProcessCommandLine has_all( "netsh", "advfirewall", "allprofiles state off"), 1, 0) 
| extend BatExclusion = iff(ProcessCommandLine has_all("-ExclusionExtension", ".bat"), 1, 0) 
| extend ExeExclusion = iff(ProcessCommandLine has_all("-ExclusionExtension", ".exe"), 1, 0) 
| extend DisableControlledFolderAccess = iff(ProcessCommandLine has_all("-EnableControlledFolderAccess", "Disabled"), 1, 0) 
| extend ScDeleteDefend = iff(ProcessCommandLine has_all("sc", "delete", "windefend"), 1, 0) 
| extend BootTampering = iff(ProcessCommandLine has_all("bcdedit", "default") and ProcessCommandLine has_any ("recoveryenabled No", "bootstatuspolicy ignoreallfailures"), 1, 0) 
| extend SchTasks = iff(ProcessCommandLine has_all("/sc", "onstart", "system", "/create", "/delay"), 1, 0) 
// Summarizing found commands 
| summarize by NetshFirewallTampering ,BatExclusion, ExeExclusion, DisableControlledFolderAccess, ScDeleteDefend, SchTasks, BootTampering, DefenderTamp, StartUpExclusionPath, DeviceId, Timestamp 
// Adding up each piece of evidence 
| extend EvidenceCount = NetshFirewallTampering + BatExclusion + ExeExclusion + DisableControlledFolderAccess + ScDeleteDefend + SchTasks + BootTampering + DefenderTamp + StartUpExclusionPath 
| where EvidenceCount > 4

Analytic Rule Definition

id: 26534fba-d2bf-449a-af40-c287c2874668
name: Imminent Ransomware
description: |
  Directly prior to deploying Macaw ransomware in an organization, the attacker will run several commands designed to disable security tools and system recovery tools.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Ransomware
query: |
  DeviceProcessEvents 
  // Pivot on specific commands 
  | where ProcessCommandLine has_any("-ExclusionPath", "Set-MpPreference", "advfirewall", "-ExclusionExtension", 
  "-EnableControlledFolderAccess", "windefend", "onstart", "bcdedit", "Startup") 
  // Making list of found commands 
  | summarize ProcessCommandLine = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 6h) 
  // Extending columns for later aggregration, based on TTP 
  | extend StartUpExclusionPath = iff(ProcessCommandLine has_all("-ExclusionPath", "Startup"), 1, 0) 
  | extend DefenderTamp = iff(ProcessCommandLine has "Set-MpPreference" 
  and ProcessCommandLine has_any( 
  "-SevereThreatDefaultAction 6" 
  "-HighThreatDefaultAction 6", 
  "-ModerateThreatDefaultAction 6", 
  "-LowThreatDefaultAction 6" 
  "-ScanScheduleDay 8"), 1, 0) 
  | extend NetshFirewallTampering = iff(ProcessCommandLine has_all( "netsh", "advfirewall", "allprofiles state off"), 1, 0) 
  | extend BatExclusion = iff(ProcessCommandLine has_all("-ExclusionExtension", ".bat"), 1, 0) 
  | extend ExeExclusion = iff(ProcessCommandLine has_all("-ExclusionExtension", ".exe"), 1, 0) 
  | extend DisableControlledFolderAccess = iff(ProcessCommandLine has_all("-EnableControlledFolderAccess", "Disabled"), 1, 0) 
  | extend ScDeleteDefend = iff(ProcessCommandLine has_all("sc", "delete", "windefend"), 1, 0) 
  | extend BootTampering = iff(ProcessCommandLine has_all("bcdedit", "default") and ProcessCommandLine has_any ("recoveryenabled No", "bootstatuspolicy ignoreallfailures"), 1, 0) 
  | extend SchTasks = iff(ProcessCommandLine has_all("/sc", "onstart", "system", "/create", "/delay"), 1, 0) 
  // Summarizing found commands 
  | summarize by NetshFirewallTampering ,BatExclusion, ExeExclusion, DisableControlledFolderAccess, ScDeleteDefend, SchTasks, BootTampering, DefenderTamp, StartUpExclusionPath, DeviceId, Timestamp 
  // Adding up each piece of evidence 
  | extend EvidenceCount = NetshFirewallTampering + BatExclusion + ExeExclusion + DisableControlledFolderAccess + ScDeleteDefend + SchTasks + BootTampering + DefenderTamp + StartUpExclusionPath 
  | where EvidenceCount > 4

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Ransomware

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Macaw Ransomware/Imminent Ransomware.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as Microsoft System Configuration Tool (msconfig) or Task Scheduler job, is run to disable unnecessary services.
Filter/Exclusion: Exclude processes initiated by Task Scheduler with known maintenance tasks or those executed by System or LocalService accounts.
Scenario: Security Tool Configuration Update
Description: An administrator is updating the configuration of a security tool like Windows Defender or Microsoft Endpoint Detection and Response (EDR) to adjust settings or disable certain features for troubleshooting.
Filter/Exclusion: Exclude processes with msdefender.exe or microsoft-edge.exe that are associated with known configuration update scripts or tasks.
Scenario: Backup Job Execution
Description: A backup job using Veeam Backup & Replication or Acronis True Image is running, which temporarily disables certain system services or tools during the backup process.
Filter/Exclusion: Exclude processes related to backup tools with known backup job names or executed under the Backup Operator user account.
Scenario: Windows Update or Patching Task
Description: A Windows Update or patching task is running, which may temporarily disable services like Windows Defender or Windows Update services during the update process.
Filter/Exclusion: Exclude processes initiated by Windows Update services (wuauserv) or tasks with known update-related names in the Task Scheduler.
Scenario: User-Initiated System Reset or Repair
Description: A user or administrator is performing a system reset or repair using tools like System File Checker (sfc.exe) or DISM, which may temporarily disable system tools or services.
Filter/Exclusion: Exclude processes with sfc.exe, `dism