Adversaries may use remote file creation with PsExec to establish persistence or deploy ransomware payloads across a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate Ryuk ransomware campaigns early.
KQL Query
// Find PsExec creating multiple files on remote machines in a 10-minute window
DeviceFileEvents
| where Timestamp > ago(7d)
// Looking for PsExec by accepteula command flag
| where InitiatingProcessCommandLine has "accepteula"
// Remote machines and file is exe
| where FolderPath has "\\\\" and FileName endswith ".exe"
| extend Exe = countof(InitiatingProcessCommandLine, ".exe")
// Checking to see if command line has 2 .exe or .bat
| where InitiatingProcessCommandLine !has ".ps1" and Exe > 1 or
InitiatingProcessCommandLine has ".bat"
// Exclusions: Remove the following line to widen scope of AHQ
| where not(InitiatingProcessCommandLine has_any("batch", "auditpol",
"script", "scripts", "illusive", "rebootrequired"))
| summarize FileCount = dcount(FolderPath), make_set(SHA1), make_set(FolderPath),
make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId,
TimeWindow=bin(Timestamp, 10m), InitiatingProcessFileName
| where FileCount > 4
id: 8b1d8f83-08f3-44fb-8328-1229521f109c
name: remote-file-creation-with-psexec
description: |
This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog.
Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot.
Ryuk operators use PsExec to manually spread the ransomware to other devices.
The following query detects remote file creation events that might indicate an active attack.
The See also section below lists links to other queries associated with Ryuk ransomware.
References:
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://docs.microsoft.com/sysinternals/downloads/psexec
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Lateral movement
query: |
// Find PsExec creating multiple files on remote machines in a 10-minute window
DeviceFileEvents
| where Timestamp > ago(7d)
// Looking for PsExec by accepteula command flag
| where InitiatingProcessCommandLine has "accepteula"
// Remote machines and file is exe
| where FolderPath has "\\\\" and FileName endswith ".exe"
| extend Exe = countof(InitiatingProcessCommandLine, ".exe")
// Checking to see if command line has 2 .exe or .bat
| where InitiatingProcessCommandLine !has ".ps1" and Exe > 1 or
InitiatingProcessCommandLine has ".bat"
// Exclusions: Remove the following line to widen scope of AHQ
| where not(InitiatingProcessCommandLine has_any("batch", "auditpol",
"script", "scripts", "illusive", "rebootrequired"))
| summarize FileCount = dcount(FolderPath), make_set(SHA1), make_set(FolderPath),
make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId,
TimeWindow=bin(Timestamp, 10m), InitiatingProcessFileName
| where FileCount > 4
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PsExec to deploy updates
Description: An admin uses PsExec to run a scheduled job that deploys system updates across the network.
Filter/Exclusion: process.parent_process != "C:\Windows\System32\svchost.exe" OR process.name != "psexec.exe" OR process.args contains "schtasks"
Scenario: Admin uses PsExec to remotely execute a PowerShell script for patching
Description: A system administrator uses PsExec to run a PowerShell script that applies security patches on remote machines.
Filter/Exclusion: process.name != "powershell.exe" OR process.args contains "patching" OR process.parent_process contains "task scheduler"
Scenario: IT team uses PsExec to configure remote servers during maintenance window
Description: During a planned maintenance window, IT uses PsExec to configure settings on multiple remote servers.
Filter/Exclusion: process.args contains "maintenance" OR process.parent_process contains "IT-Tools" OR process.user contains "IT-Admin"
Scenario: PsExec used to run a legitimate backup script on remote machines
Description: A backup process uses PsExec to execute a backup script on remote endpoints.
Filter/Exclusion: process.name contains "backup" OR process.args contains "backup-script" OR process.user contains "backup-service"
Scenario: PsExec used to run a remote administrative task (e.g., service restart)
Description: An admin uses PsExec to restart a service on a remote machine as part of routine maintenance.
Filter/Exclusion: process.args contains "restart service" OR process.name contains "service" OR process.parent_process contains "task scheduler"