A suspicious process is loading the RstrtMgr.DLL, which is commonly used by ransomware to terminate processes that block file encryption. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential ransomware activity and mitigate data loss.
Detection Rule
title: Load Of RstrtMgr.DLL By A Suspicious Process
id: b48492dc-c5ef-4572-8dff-32bc241c15c8
related:
- id: 3669afd2-9891-4534-a626-e5cf03810a61
type: derived
status: test
description: |
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
It could also be used for anti-analysis purposes by shut downing specific processes.
references:
- https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
- https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
- https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
author: Luc GĂ©naux
date: 2023-11-28
tags:
- attack.impact
- attack.defense-evasion
- attack.t1486
- attack.t1562.001
logsource:
category: image_load
product: windows
detection:
selection_img:
- ImageLoaded|endswith: '\RstrtMgr.dll'
- OriginalFileName: 'RstrtMgr.dll'
selection_folders_1:
Image|contains:
# Note: increase coverage by adding more suspicious paths
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
selection_folders_2:
- Image|contains|all:
- ':\Users\'
- '\Favorites\'
- Image|contains|all:
- ':\Users\'
- '\Favourites\'
- Image|contains|all:
- ':\Users\'
- '\Contacts\'
condition: selection_img and 1 of selection_folders_*
falsepositives:
- Processes related to software installation
level: high
DeviceImageLoadEvents
| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Temporary Internet") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\")))Scenario: A system administrator is using Task Scheduler to run a maintenance script that legitimately loads RstrtMgr.DLL to terminate non-essential services before a system update.
Filter/Exclusion: Exclude processes associated with Task Scheduler or processes with a command line containing schtasks.exe or Task Scheduler.
Scenario: A Windows Update or Group Policy Update process loads RstrtMgr.DLL as part of its normal operation to terminate conflicting processes.
Filter/Exclusion: Exclude processes with the name svchost.exe and associated with wuauserv or gpsvc services.
Scenario: A Windows Service (e.g., Windows Search or Windows Defender) loads RstrtMgr.DLL during a routine scan or indexing operation.
Filter/Exclusion: Exclude processes with the name svchost.exe and associated with Search or Windows Defender services.
Scenario: A PowerShell script or batch file is used by an IT admin to gracefully shut down or restart services, which may involve loading RstrtMgr.DLL.
Filter/Exclusion: Exclude processes with a command line containing powershell.exe or cmd.exe that are associated with known admin tasks or scripts.
Scenario: A remote desktop session or logon script triggers a legitimate process that loads RstrtMgr.DLL to manage application state before user login.
Filter/Exclusion: Exclude processes initiated from a remote session or with a command line containing mstsc.exe or logon.scr.