Accounts that have logged on to affected endpoints may indicate compromised credentials used in a ransomware attack, as attackers often leverage stolen credentials to move laterally and encrypt sensitive healthcare data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate ransomware activity before it impacts critical systems and patient information.
KQL Query
AlertInfo
| where Timestamp > ago(7d)
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
// List alerts flagging attempts to delete backup files.
"File backups were deleted",
// Potential Cobalt Strike activity - Note that other threat activity can also
// trigger alerts for suspicious decoded content
"Suspicious decoded content",
// Cobalt Strike activity
"'Atosev' malware was detected",
"'Ploty' malware was detected",
"'Bynoco' malware was detected")
| extend AlertTime = Timestamp
| join AlertEvidence on AlertId
| distinct DeviceName, AlertTime, AlertId, Title
| join DeviceLogonEvents on DeviceName
// Creating 10 day Window surrounding alert activity
| where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d
// Projecting specific columns
| project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain,
AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName
id: f4506828-36f5-4668-8203-de062963be63
name: Ransomware hits healthcare - Possible compromised accounts
description: |
Identify accounts that have logged on to affected endpoints.
Check for specific alerts.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertInfo
- AlertEvidence
- DeviceLogonEvents
query: |
AlertInfo
| where Timestamp > ago(7d)
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
// List alerts flagging attempts to delete backup files.
"File backups were deleted",
// Potential Cobalt Strike activity - Note that other threat activity can also
// trigger alerts for suspicious decoded content
"Suspicious decoded content",
// Cobalt Strike activity
"'Atosev' malware was detected",
"'Ploty' malware was detected",
"'Bynoco' malware was detected")
| extend AlertTime = Timestamp
| join AlertEvidence on AlertId
| distinct DeviceName, AlertTime, AlertId, Title
| join DeviceLogonEvents on DeviceName
// Creating 10 day Window surrounding alert activity
| where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d
// Projecting specific columns
| project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain,
AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName
| Sentinel Table | Notes |
|---|---|
AlertEvidence | Ensure this data connector is enabled |
DeviceLogonEvents | Ensure this data connector is enabled |
Scenario: Scheduled backups running during off-hours
Description: A legitimate scheduled backup job (e.g., Veeam, Commvault) is executing on a healthcare server, logging in to the endpoint as part of its routine.
Filter/Exclusion: Exclude processes associated with known backup tools (e.g., veeam.exe, commvault.exe) or check for the presence of a backup job ID in the process name or command line.
Scenario: System maintenance tasks via PowerShell
Description: An admin is running a PowerShell script (e.g., Invoke-Command) to perform system maintenance or patching on a healthcare endpoint.
Filter/Exclusion: Filter out processes initiated by the local admin account or check for the presence of a known maintenance script or command in the process command line.
Scenario: Remote management via Microsoft Intune or SCCM
Description: A device is being managed remotely via Microsoft Intune or SCCM, which may trigger login events on the endpoint.
Filter/Exclusion: Exclude logins initiated by the Intune or SCCM service accounts (e.g., intunemgmt, SCCM) or check for the presence of a known management tool in the process name.
Scenario: Database replication or synchronization jobs
Description: A database replication task (e.g., SQL Server Agent job) is syncing data between servers, which may involve logging into the target endpoint.
Filter/Exclusion: Exclude logins associated with SQL Server services (e.g., sqlservr.exe) or check for the presence of a known replication job name in the process or event details.
Scenario: User access during shift changes
Description: A healthcare staff member is logging into a workstation or server during shift change to review patient records or update documentation.
*Filter