Adversaries may disable system tools and functionalities to prevent recovery efforts before deploying Macaw ransomware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential ransomware attacks before they execute.
KQL Query
DeviceProcessEvents
| where ProcessCommandLine has_all ("reg", "add")
| where ProcessCommandLine has_any("DisableTaskMgr", "DisableCMD", "DisableRegistryTools", "NoRun") and ProcessCommandLine has "REG_DWORD /d \"1\""
| summarize ProcessCount = dcount(ProcessCommandLine), make_set(ProcessCommandLine) by InitiatingProcessCommandLine, DeviceId, bin(Timestamp, 3m)
| where ProcessCount > 2
id: 8490deec-067e-49d5-a617-a8f8b9ebd8bd
name: Inhibit recovery by disabling tools and functionality
description: |
Prior to deploying Macaw ransomware in an organization, the adversary will disable several tools and functions in order to inhibit later recovery efforts.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Ransomware
query: |
DeviceProcessEvents
| where ProcessCommandLine has_all ("reg", "add")
| where ProcessCommandLine has_any("DisableTaskMgr", "DisableCMD", "DisableRegistryTools", "NoRun") and ProcessCommandLine has "REG_DWORD /d \"1\""
| summarize ProcessCount = dcount(ProcessCommandLine), make_set(ProcessCommandLine) by InitiatingProcessCommandLine, DeviceId, bin(Timestamp, 3m)
| where ProcessCount > 2
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator disables the “Time Machine” backup service on macOS to free up disk space during a routine maintenance task.
Filter/Exclusion: Check for the presence of the com.apple.TimeMachine launch daemon and ensure the action is not associated with a known ransomware deployment script.
Scenario: An IT team disables the “Scheduled Tasks” (Task Scheduler) on Windows servers to prevent unauthorized access during a security audit.
Filter/Exclusion: Verify if the task was initiated by a privileged user or part of a standard maintenance procedure, and exclude actions related to known legitimate administrative scripts.
Scenario: A database administrator disables the “SQL Server Agent” service to perform a database maintenance window and prevent unintended job executions.
Filter/Exclusion: Filter out events where the service is disabled by a user with a known administrative role and during a scheduled maintenance window.
Scenario: A DevOps engineer disables the “Logrotate” utility on Linux systems to troubleshoot log-related issues, temporarily halting log rotation.
Filter/Exclusion: Exclude actions where the user has a DevOps role and the change is made within a known maintenance or troubleshooting window.
Scenario: A security team disables the “Windows Defender” service on a test machine to run a custom security tool for evaluation purposes.
Filter/Exclusion: Check for the presence of a test environment label or a known security evaluation tool, and exclude actions performed by a security team member with elevated privileges.