Detection rules › Kusto Query Language
Remote File Creation with PsExec
This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog. Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. Ryuk operators use PsExec to manually spread the ransomware to other devices. The following query detects remote file creation events that might indicate an active attack. The See also section below lists links to other queries associated with Ryuk ransomware. References: https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk.AA https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ https://docs.microsoft.com/sysinternals/downloads/psexec
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Lateral Movement | T1570 Lateral Tool Transfer |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
| Security-Auditing | 4663 | An attempt was made to access an object. |
| Defender-DeviceFileEvents | 9002000 | File activity (any) |
Stages and Predicates
Stage 1: source
DeviceFileEvents
Stage 2: where
InitiatingProcessCommandLine match "accepteula"
Stage 3: where
and
FileName ends_with ".exe"
FolderPath match "\\\\\\\\"
Stage 4: extend
Stage 5: where
or
and
not
InitiatingProcessCommandLine match ".ps1"
Exe gt "1"
InitiatingProcessCommandLine match ".bat"
Stage 6: where
not
InitiatingProcessCommandLine match ["batch", "auditpol", "script", "scripts", "illusive", "rebootrequired"]
Stage 7: summarize
Stage 8: where
FileCount gt "4"
Stage 9: extend
Stage 10: extend
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | CommandLine | match | batch, auditpol, script, scripts, illusive, rebootrequired |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Exe | gt |
|
FileCount | gt |
|
FileName | ends_with |
|
FolderPath | match |
|
InitiatingProcessCommandLine | match |
|