Technique ID | Title | Link |
---|---|---|
T1486 | Data Encrypted for Impact | https://attack.mitre.org/techniques/T1486 |
Detects when the ASR rule AsrRansomwareBlocked or AsrRansomwareAudited is triggered. MDE uses cliend and cloud heuristics to determine of a file resembles ransomware. This file could for example be the script that is used to encrypt files. No alert is generated by default by Defender For Endpoint. This could be the start of a ransomware attack. Additional information available by Microsoft.
A actor has gained access to your network and tries to execute ransomware.
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType in ('AsrRansomwareBlocked', 'AsrRansomwareAudited')
| summarize arg_max(Timestamp, *), TotalEvents = count(), TriggeredFiles = make_set(FileName), FileHashes = make_set(SHA1), IntiatingProcesses = make_set(InitiatingProcessCommandLine) by DeviceName, AccountName
| project Timestamp, DeviceName, AccountDomain, AccountName, TotalEvents, TriggeredFiles, FileHashes, IntiatingProcesses
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType in ('AsrRansomwareBlocked', 'AsrRansomwareAudited')
| summarize arg_max(Timestamp, *), TotalEvents = count(), TriggeredFiles = make_set(FileName), FileHashes = make_set(SHA1), IntiatingProcesses = make_set(InitiatingProcessCommandLine) by DeviceName, AccountName
| project Timestamp, DeviceName, AccountDomain, AccountName, TotalEvents, TriggeredFiles, FileHashes, IntiatingProcesses