Unlock the Ultimate Defense: Top 3 Hunting Queries for Ransomware Protection in Microsoft Sentinel

🛡️Unlock the Ultimate Defense: Top 3 Hunting Queries for Ransomware Protection in Microsoft Sentinel🛡️

📝Actor has gained access to your network and tries to execute ransomware.

🏹Query: DeviceEvents | where Timestamp > ago(30d) | where ActionType has_any ('AsrRansomwareBlocked', 'AsrRansomwareAudited') | summarize arg_max(Timestamp, *), TotalEvents = count(), TriggeredFiles = make_set(FileName), FileHashes = make_set(SHA1), IntiatingProcesses = make_set(InitiatingProcessCommandLine) by DeviceName, AccountName | project TimeGenerated, DeviceName, AccountDomain, AccountName, TotalEvents, TriggeredFiles, FileHashes,

📝Detects KillNets Ransomware note and the file extension that has been used to encrypt files.

🏹Query: let killnetRansomNote = "ru.txt"; let killnetRansomExtension = ".killnet"; DeviceFileEvents | where FileName =~ killnetRansomNote or FileName endswith killnetRansomExtension | project-reorder TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine

📝Triggers when a known ransomware extension has been found.

🏹Query: let RansomwareExtensionsInput = externaldata(Extension: string)[@"https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-extension-list.txt"] with (format="txt", ignoreFirstRecord=True); let RansomwareExtensionAddition = dynamic(['.misingfromabovelist']); // Add your missing / new extensions in this list. let RansomwareExtensions = materialize ( RansomwareExtensionsInput | distinct Extension | extend RawExtention = substring(Extension, 1, string_size(Extension)) ); DeviceFileEvents | where FileName has_any (RansomwareExtensions) or FileName has_any (RansomwareExtensionAddition) | summarize arg_max(TimeGenerated, *), EncryptedFiles = make_set(FileName), Locations = make_set(FolderPath) by DeviceName | extend TotalFileEncrypted = array_length(EncryptedFiles) | project-reorder TimeGenerated, TotalFileEncrypted, EncryptedFiles, Locations, InitiatingProcessAccountName | sort by TotalFileEncrypted

Ready to become a KQL Champion? 💡

Check out the Must Learn KQL repo, created and maintained by KQL boss, Rod Trent: 📝https://lnkd.in/e2ziN44D Want to see more queries? Great repo here: 📝https://lnkd.in/eHS59XMM