Adversaries may be leveraging known LockBit and related tool hashes to deploy ransomware or evade detection through file modification or creation activities. SOC teams should proactively hunt for these behaviors in Azure Sentinel to identify potential ransomware operations and disrupt malicious activity before significant damage occurs.
KQL Query
// DETECTION STRATEGY:
// Hash-based identification of known threat actor payloads (LockBit, Advanced IP Scanner) deployed via Apache ActiveMQ exploitation.
//
// THE MECHANIC:
// Following successful RCE (CVE-2023-46604) on an internet-facing ActiveMQ server, the adversary drops batch scripts to modify RDP settings,
// utilizes Advanced IP Scanner for internal reconnaissance, and executes LockBit ransomware binaries interactively via RDP sessions.
//
// THE RESILIENCE:
// While hash-based detections are brittle to recompilation, these specific indicators represent unmodified, statically compiled builder
// artifacts and renamed legitimate RMM/Scanner tools that threat actors frequently reuse across intrusions without modification.
// Reference: https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware
// Define exact SHA256 indicators mapped to the intrusion phases.
let iocSha256 = dynamic([
// Tier 1: LockBit Ransomware Payloads (Leaked Builder Artifacts)
"c8646cfb574ff2c6f183c3c3951bf6b2c6cf16ff8a5e949a118be27f15962fae", // lb3_pass.exe (Executed with path/password flags)
"8ceee89550c521ba43f59d24ba53a22a3b69ead0fce118508d0a87a383d6a7b6", // lb3.exe (PsExec spreader variant)
// Tier 2: Reconnaissance & Defense Evasion Tools
"87bfb05057f215659cc801750118900145f8a22fa93ac4c6e1bfd81aa98b0a55", // netscan.exe
"722fff8f38197d1449df500ae31a95bb34a6ddaba56834b13eaaff2b0f9f1c8b", // advanced_ip_scanner.exe (Dropped as SoftPerfect Network Scanner disguise)
// Tier 3: Configuration Modification Scripts
"d9c888bde81f19f3dc4f050d184ffa6470f1a93a2b3b10b3cc2d246574f56841" // rdp.bat (Used to open port 3389 and alter firewall rules)
]);
//
// STEP 1: Base Query - Filter early on the target table to save compute memory
DeviceFileEvents
| where isnotempty(SHA256)
| where SHA256 in~ (iocSha256)
//
// STEP 2: Schema Alignment & Explicit Casting for Sentinel Entity Extraction
// explicitly cast fields to strings to satisfy the Logic App/SOAR entity schema requirements.
| extend
HostCustomEntity = tostring(DeviceName),
AccountCustomEntity = tostring(InitiatingProcessAccountUpn),
FileHashCustomEntity = tostring(SHA256),
HashAlgorithm = "SHA256", // Hardcoded to satisfy the mandatory 'Algorithm' enum in the FileHash entity schema
ProcessIdString = tostring(InitiatingProcessId) // ProcessIds must be cast to strings for entity mapping
//
// STEP 3: Format the output for triage (Analyst Hand-off)
// ANALYST ACTION: Review the 'PayloadPath' and 'ActorProcess'. If the payload was dropped
// into an interactive RDP directory (e.g., \Downloads\) or the C:\Intel\ staging folder,
// assume active interactive ransomware deployment and isolate the host immediately.
| project
Timestamp,
DeviceName = HostCustomEntity,
AccountUpn = AccountCustomEntity,
ActorProcess = InitiatingProcessFileName,
ActorCommandLine = InitiatingProcessCommandLine,
ActorProcessId = ProcessIdString,
PayloadName = FileName,
PayloadPath = FolderPath,
PayloadHash = FileHashCustomEntity,
HashAlgorithm,
ActionType,
PayloadSize = FileSize
// STEP 4: Visual Hierarchy (The Left-to-Right Narrative)
| project-reorder
Timestamp, // When
DeviceName, // Where
AccountUpn, // Who
ActorProcess, // What (The Actor)
ActorCommandLine, // How (The Actor)
PayloadName, // The Evidence (Target File)
PayloadPath, // The Evidence (Target Location)
PayloadHash, // The Evidence (Indicator)
ActionType, // Metadata
PayloadSize, // Metadata
ActorProcessId, // Metadata
HashAlgorithm // Metadata
id: 076b86d3-eaff-4cd9-af47-118e79e31e7c
name: LockBit and related tool hash IoCs
description: Identifies file creation or modification events matching SHA256 hashes associated with an Apache ActiveMQ exploit, defense evasion scripts, and LockBit ransomware deployment.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Execution
- Impact
relevantTechniques:
- T1486
- T1204
query: |
// DETECTION STRATEGY:
// Hash-based identification of known threat actor payloads (LockBit, Advanced IP Scanner) deployed via Apache ActiveMQ exploitation.
//
// THE MECHANIC:
// Following successful RCE (CVE-2023-46604) on an internet-facing ActiveMQ server, the adversary drops batch scripts to modify RDP settings,
// utilizes Advanced IP Scanner for internal reconnaissance, and executes LockBit ransomware binaries interactively via RDP sessions.
//
// THE RESILIENCE:
// While hash-based detections are brittle to recompilation, these specific indicators represent unmodified, statically compiled builder
// artifacts and renamed legitimate RMM/Scanner tools that threat actors frequently reuse across intrusions without modification.
// Reference: https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware
// Define exact SHA256 indicators mapped to the intrusion phases.
let iocSha256 = dynamic([
// Tier 1: LockBit Ransomware Payloads (Leaked Builder Artifacts)
"c8646cfb574ff2c6f183c3c3951bf6b2c6cf16ff8a5e949a118be27f15962fae", // lb3_pass.exe (Executed with path/password flags)
"8ceee89550c521ba43f59d24ba53a22a3b69ead0fce118508d0a87a383d6a7b6", // lb3.exe (PsExec spreader variant)
// Tier 2: Reconnaissance & Defense Evasion Tools
"87bfb05057f215659cc801750118900145f8a22fa93ac4c6e1bfd81aa98b0a55", // netscan.exe
"722fff8f38197d1449df500ae31a95bb34a6ddaba56834b13eaaff2b0f9f1c8b", // advanced_ip_scanner.exe (Dropped as SoftPerfect Network Scanner disguise)
// Tier 3: Configuration Modification Scripts
"d9c888bde81f19f3dc4f050d184ffa6470f1a93a2b3b10b3cc2d246574f56841" // rdp.bat (Used to open port 3389 and alter firewall rules)
]);
//
// STEP 1: Base Query - Filter early on the target table to save compute memory
DeviceFileEvents
| where isnotempty(SHA256)
| where SHA256 in~ (iocSha256)
//
// STEP 2: Schema Alignment & Explicit Casting for Sentinel Entity Extraction
// explicitly cast fields to strings to satisfy the Logic App/SOAR entity schema requirements.
| extend
HostCustomEntity = tostring(DeviceName),
AccountCustomEntity = tostring(InitiatingProcessAccountUpn),
FileHashCustomEntity = tostring(SHA256),
HashAlgorithm = "SHA256", // Hardcoded to satisfy the mandatory 'Algorithm' enum in the FileHash entity schema
ProcessIdString = tostring(InitiatingProcessId) // ProcessIds must be cast to strings for entity mapping
//
/| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled backup job using rsync with a known hash from a legitimate backup script
Filter/Exclusion: process.name = rsync and file.name contains "backup"
Scenario: System update using apt that includes a known hash from a trusted package repository
Filter/Exclusion: process.name = apt and file.name contains "update" or "upgrade"
Scenario: Admin task using PowerShell to generate a report with a hash matching a known legitimate script
Filter/Exclusion: process.name = powershell.exe and file.name contains "report" or "generate"
Scenario: Log rotation using logrotate with a script that has a hash matching a known tool
Filter/Exclusion: process.name = logrotate and file.name contains "rotate" or "log"
Scenario: Database backup using mysqldump with a script that has a hash matching a known tool
Filter/Exclusion: process.name = mysqldump and file.name contains "backup" or "dump"