The hypothesis is that the detection rule identifies potential data destruction activity associated with the Wadhrama ransomware, which adversaries may use to exfiltrate data or disrupt operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ransomware attacks before significant data loss occurs.
KQL Query
// Find use of WMIC to delete backups before ransomware execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete"
| project DeviceId, Timestamp, InitiatingProcessFileName, FileName,
ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFileName
id: 08502f9f-7a04-4608-b5ad-5cfa129c073b
name: wadhrama-data-destruction
description: |
This query was originally published in the threat analytics report, RDP ransomware persists as Wadhrama.
The ransomware known as Wadhrama has been used in human-operated attacks that follow a particular pattern. The attackers often use Remote Desktop Protocol (RDP) to gain initial access to a device or network, exfiltrate credentials, and maintain persistance.
The following query checks for possible Wadhrama-related activity, by detecting any use of Windows Management Instrumentation command-line utility, or WMIC, to delete local backups. The attackers often delete all local backups on an infected device before actually running the ransomware.
Other techniques used by the group associated with Wadhrama are listed under See also.
Reference - https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Wadhrama
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Impact
query: |
// Find use of WMIC to delete backups before ransomware execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete"
| project DeviceId, Timestamp, InitiatingProcessFileName, FileName,
ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFileName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running via Task Scheduler to perform disk cleanup or system maintenance could trigger the rule due to file deletion or modification activity.
Filter/Exclusion: process.parent_process_name != "schtasks.exe" or process.command_line not contains "schtasks"
Scenario: Database Backup and Restore Operation
Description: A database administrator may perform a backup or restore operation using tools like sqlcmd or mysqldump, which can involve temporary file creation or deletion.
Filter/Exclusion: process.name != "sqlcmd.exe" or process.name != "mysqldump.exe"
Scenario: User-Initiated File Deletion via Command Line
Description: An admin might use del or rm commands in a terminal session to delete outdated files, which could be flagged by the rule.
Filter/Exclusion: process.name != "cmd.exe" or process.name != "bash.exe" and process.command_line not contains "del" or rm
Scenario: Antivirus or Endpoint Protection Quarantine Action
Description: Antivirus tools like Kaspersky, Bitdefender, or Malwarebytes may quarantine malicious files, which could be mistaken for ransomware activity.
Filter/Exclusion: process.name contains "kav" or "bitdefender" or "malwarebytes" or process.parent_process_name contains "avp.exe"
Scenario: Log Rotation or Archive Process
Description: A log rotation tool like logrotate (Linux) or LogParser (Windows) may delete or archive old log files, which could trigger the rule.
Filter/Exclusion: `process.name contains “logrotate” or “logparser