Adversaries using Wadhrama ransomware may establish persistence through scheduled tasks to maintain access and execute payloads without user interaction. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential ransomware attacks before data encryption occurs.
KQL Query
// Find attempts to establish RDP persistence via the registry
let Allow = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "reg.exe"
| where ProcessCommandLine has "AllowTSConnections"
| extend AllowReport = Timestamp ;
//
let Deny = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "reg.exe"
| where ProcessCommandLine has "fDenyTSConnections"
| extend DenyReport = Timestamp;
//
let Special = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "reg.exe"
| where ProcessCommandLine has "SpecialAccounts"
| extend SpecialReport = Timestamp;
//
Special | join kind=inner (Deny | join kind=inner Allow on DeviceId) on DeviceId
| where AllowReport < Timestamp +10s and AllowReport > Timestamp -10s
| where DenyReport < Timestamp +10s and DenyReport > Timestamp -10s
| where SpecialReport < Timestamp +10s and SpecialReport > Timestamp -10s
id: 733c3a83-5950-496c-90f0-d66f0efa3c35
name: wadhrama-ransomware
description: |
This query was originally published in the threat analytics report, RDP ransomware persists as Wadhrama.
The ransomware known as Wadhrama has been used in human-operated attacks that follow a particular pattern. The attackers often use Remote Desktop Protocol (RDP) to gain initial access to a device or network, exfiltrate credentials, and maintain persistance.
The following query checks for possible Wadhrama-related activity, by searching for attempts to establish RDP persistance via the registry.
Other techniques used by the group associated with Wadhrama are listed under See also.
Reference - https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Wadhrama
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Persistence
query: |
// Find attempts to establish RDP persistence via the registry
let Allow = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "reg.exe"
| where ProcessCommandLine has "AllowTSConnections"
| extend AllowReport = Timestamp ;
//
let Deny = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "reg.exe"
| where ProcessCommandLine has "fDenyTSConnections"
| extend DenyReport = Timestamp;
//
let Special = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "reg.exe"
| where ProcessCommandLine has "SpecialAccounts"
| extend SpecialReport = Timestamp;
//
Special | join kind=inner (Deny | join kind=inner Allow on DeviceId) on DeviceId
| where AllowReport < Timestamp +10s and AllowReport > Timestamp -10s
| where DenyReport < Timestamp +10s and DenyReport > Timestamp -10s
| where SpecialReport < Timestamp +10s and SpecialReport > Timestamp -10s
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Execution
Description: A scheduled job using schtasks.exe runs a script that performs system maintenance, such as log cleanup or backup, which may resemble ransomware behavior.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known legitimate command-line arguments or scripts located in trusted directories like C:\Windows\System32\.
Scenario: Admin Task for System Backup
Description: An administrator uses wbadmin.exe to perform a system backup, which may trigger the rule due to file encryption or modification activities.
Filter/Exclusion: Exclude processes initiated by wbadmin.exe during known backup windows or with specific command-line switches like /quiet or /backup.
Scenario: PowerShell Script for Patch Management
Description: A PowerShell script (powershell.exe) is used to apply patches or update system files, which may include file encryption or modification that matches the detection logic.
Filter/Exclusion: Exclude processes where the command line includes -File or -ScriptBlock with paths to trusted PowerShell modules or scripts in the C:\Windows\System32\WindowsPowerShell\v1.0\ directory.
Scenario: Remote Desktop Session with File Operations
Description: A legitimate remote desktop session (mstsc.exe) involves file operations such as copying or renaming files, which may be mistaken for ransomware activity.
Filter/Exclusion: Exclude processes initiated by mstsc.exe with IP addresses from trusted internal networks or users with administrative privileges.
Scenario: Antivirus Quarantine Process
Description: An antivirus tool (e.g., avgscan.exe, mcafee.exe) quarantines malicious files, which may involve file encryption or deletion that triggers the rule.
Filter/Exclusion: Exclude processes