wadharama related pages

martyav · martyav · commit fed4a12b446e · 2020-08-18T12:34:58.000-04:00
diff --git a/Credential Access/wadhrama-credential-dump.md b/Credential Access/wadhrama-credential-dump.md
@@ -0,0 +1,50 @@
+# Image File Execution Options and .bat file usage in association with Wadhrama ransomware
+
+This query was originally published in the threat analytics report, *RDP ransomware persists as Wadhrama*.
+
+The ransomware known as [Wadhrama](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Wadhrama) has been used in human-operated attacks that follow a particular pattern. The attackers often use Remote Desktop Protocol (RDP) to gain initial access to a device or network, exfiltrate credentials, and maintain persistance.
+
+The following query checks for possible Wadhrama-related activity, by detecting the technique these attackers have used in the past to dump credentials.
+
+Other techniques used by the group associated with Wadhrama are listed under [See also](#see-also).
+
+## Query
+
+```Kusto
+// Find use of Image File Execution Options (IFEO) in conjunction 
+// with a .bat file to dump credentials
+DeviceRegistryEvents
+| where Timestamp > ago(7d)
+| where RegistryKey has "sethc" or RegistryKey has "utilman"
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access | v |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact | v |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Find data destruction related to Wadhrama ransomware](../Impact/wadhrama-data-destruction.md)
+* [Find RDP persistance attempts related to Wadhrama ransomware](../Persistence/wadhrama-ransomware.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
diff --git a/Impact/wadhrama-data-destruction.md b/Impact/wadhrama-data-destruction.md
@@ -0,0 +1,52 @@
+# Find data destruction related to Wadhrama ransomware
+
+This query was originally published in the threat analytics report, *RDP ransomware persists as Wadhrama*.
+
+The ransomware known as [Wadhrama](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Wadhrama) has been used in human-operated attacks that follow a particular pattern. The attackers often use Remote Desktop Protocol (RDP) to gain initial access to a device or network, exfiltrate credentials, and maintain persistance.
+
+The following query checks for possible Wadhrama-related activity, by detecting any use of Windows Management Instrumentation command-line utility, or WMIC, to delete local backups. The attackers often delete all local backups on an infected device before actually running the ransomware.
+
+Other techniques used by the group associated with Wadhrama are listed under [See also](#see-also).
+
+## Query
+
+```Kusto
+// Find use of WMIC to delete backups before ransomware execution
+DeviceProcessEvents
+| where Timestamp > ago(7d)
+| where FileName =~ "wmic.exe"
+| where ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete"
+| project DeviceId, Timestamp, InitiatingProcessFileName, FileName,
+ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFileName
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact | v |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Find RDP persistance attempts related to Wadhrama ransomware](../Persistence/wadhrama-ransomware.md)
+* [Image File Execution Options and .bat file usage in association with Wadhrama ransomware](../Credential%20Access/wadhrama-credential-dump.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
diff --git a/Persistence/wadhrama-ransomware.md b/Persistence/wadhrama-ransomware.md
@@ -0,0 +1,68 @@
+# Find RDP persistance attempts related to Wadhrama ransomware
+
+This query was originally published in the threat analytics report, *RDP ransomware persists as Wadhrama*.
+
+The ransomware known as [Wadhrama](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Wadhrama) has been used in human-operated attacks that follow a particular pattern. The attackers often use Remote Desktop Protocol (RDP) to gain initial access to a device or network, exfiltrate credentials, and maintain persistance.
+
+The following query checks for possible Wadhrama-related activity, by searching for attempts to establish RDP persistance via the registry.
+
+Other techniques used by the group associated with Wadhrama are listed under [See also](#see-also).
+
+## Query
+
+```Kusto
+// Find attempts to establish RDP persistence via the registry
+let Allow = DeviceProcessEvents
+| where Timestamp > ago(7d)
+| where FileName == "reg.exe"
+| where ProcessCommandLine has "AllowTSConnections"
+| extend AllowReport = Timestamp ;
+//
+let Deny = DeviceProcessEvents 
+| where Timestamp > ago(7d)
+| where FileName == "reg.exe"
+| where ProcessCommandLine has "fDenyTSConnections"
+| extend DenyReport = Timestamp;
+// 
+let Special = DeviceProcessEvents  
+| where Timestamp > ago(7d)
+| where FileName == "reg.exe"
+| where ProcessCommandLine has "SpecialAccounts"
+| extend SpecialReport = Timestamp;
+//
+Special | join kind=inner (Deny | join kind=inner Allow on DeviceId) on DeviceId 
+| where AllowReport < Timestamp +10s and AllowReport > Timestamp -10s
+| where DenyReport < Timestamp +10s and DenyReport > Timestamp -10s
+| where SpecialReport < Timestamp +10s and SpecialReport > Timestamp -10s
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence | v |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Find data destruction related to Wadhrama ransomware](../Impact/wadhrama-data-destruction.md)
+* [Image File Execution Options and .bat file usage in association with Wadhrama ransomware](../Credential%20Access/wadhrama-credential-dump.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
