Detection rules › Kusto Query Language
Dev-0530 File Extension Rename
'Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1486 Data Encrypted for Impact |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
| Security-Auditing | 4663 | An attempt was made to access an object. |
| Defender-DeviceFileEvents | 9002001 | File created |
Stages and Predicates
Stage 1: source
<union>
Stage 2: union
union of 2 branches