AsrRansomware.md

ASR Ransomware

Query Information

MITRE ATT&CK Technique(s)

Technique ID	Title	Link
T1486	Data Encrypted for Impact	https://attack.mitre.org/techniques/T1486

Description

Detects when the ASR rule AsrRansomwareBlocked or AsrRansomwareAudited is triggered. MDE uses cliend and cloud heuristics to determine of a file resembles ransomware. This file could for example be the script that is used to encrypt files. No alert is generated by default by Defender For Endpoint. This could be the start of a ransomware attack. Additional information available by Microsoft.

Risk

A actor has gained access to your network and tries to execute ransomware.

References

• https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#use-advanced-protection-against-ransomware

Defender For Endpoint

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType in ('AsrRansomwareBlocked', 'AsrRansomwareAudited')
| summarize arg_max(Timestamp, *), TotalEvents = count(), TriggeredFiles = make_set(FileName), FileHashes = make_set(SHA1), IntiatingProcesses = make_set(InitiatingProcessCommandLine) by DeviceName, AccountName
| project Timestamp, DeviceName, AccountDomain, AccountName, TotalEvents, TriggeredFiles, FileHashes, IntiatingProcesses

Sentinel

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType in ('AsrRansomwareBlocked', 'AsrRansomwareAudited')
| summarize arg_max(Timestamp, *), TotalEvents = count(), TriggeredFiles = make_set(FileName), FileHashes = make_set(SHA1), IntiatingProcesses = make_set(InitiatingProcessCommandLine) by DeviceName, AccountName
| project Timestamp, DeviceName, AccountDomain, AccountName, TotalEvents, TriggeredFiles, FileHashes, IntiatingProcesses