| Technique ID | Title | Link |
|---|---|---|
| T1486 | Data Encrypted for Impact | https://attack.mitre.org/techniques/T1486/ |
Detects possible ransomware file changes by adding a custom extension to the encrypted files, such as ".docx.encrypted" or ".pdf.ezz". This is a technique that is used by multiple Ransomware groups, they do not change the currenct extention, but they add a new one to the current file.
A false positive could be a administrator that changes a lot of files.
Ransomware is being deployed in your environment.
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml
- https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
- https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/
// Based on https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml
// Add your most common file extentions in this list
let OriginalExtension = dynamic(['.pdf', '.docx', '.jpg', '.xlsx', '.pptx', '.txt']);
DeviceFileEvents
| where ActionType == "FileRenamed"
// Extract file extension
| extend PreviousFileExtension = extract("\\.([a-z])*", 0, PreviousFileName)
| extend NewFileExtension = extract(@'\.(.*)', 0, FileName)
// File extension must be changed
| where PreviousFileExtension != NewFileExtension
| where PreviousFileExtension has_any (OriginalExtension)
| extend RansomwareCheck = strcat(PreviousFileExtension, ".")
// Check if the new file extension contains a possible ransomware extension (e.g. .docx.encrypted or .pdf.ezz
| where NewFileExtension contains RansomwareCheck
// Remove duplicate file extensions to limit false positives (e.g. .pdf.pdf or .docx.docx)
| extend DuplicateExtensionCheck = split(NewFileExtension, ".")
| where tostring(DuplicateExtensionCheck[1]) != tostring(DuplicateExtensionCheck[2])
// Display results
| project-reorder
Timestamp,
PreviousFileExtension,
PreviousFileName,
NewFileExtension,
FileName,
DeviceName,
InitiatingProcessAccountName
// Based on https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_rename/file_rename_win_ransomware.yml
let OriginalExtension = dynamic(['.pdf', '.docx', '.jpg', '.xlsx', '.pptx', '.txt']);
DeviceFileEvents
| where ActionType == "FileRenamed"
// Extract file extension
| extend PreviousFileExtension = extract("\\.([a-z])*", 0, PreviousFileName)
| extend NewFileExtension = extract(@'\.(.*)', 0, FileName)
// File extension must be changed
| where PreviousFileExtension != NewFileExtension
| where PreviousFileExtension has_any (OriginalExtension)
| extend RansomwareCheck = strcat(PreviousFileExtension, ".")
// Check if the new file extension contains a possible ransomware extension (e.g. .docx.encrypted or .pdf.ezz
| where NewFileExtension contains RansomwareCheck
// Remove duplicate file extensions to limit false positives (e.g. .pdf.pdf or .docx.docx)
| extend DuplicateExtensionCheck = split(NewFileExtension, ".")
| where tostring(DuplicateExtensionCheck[1]) != tostring(DuplicateExtensionCheck[2])
// Display results
| project-reorder
TimeGenerated,
PreviousFileExtension,
PreviousFileName,
NewFileExtension,
FileName,
DeviceName,
InitiatingProcessAccountName