Velociraptor Intrusion Analysis

1. Initial Access

1.1. Phishing: Spearphishing Attachment (T1566.001)

Hunt Name: Detect_Malicious_Email_Attachments Query 1: Identify Malicious Executables in INetCache

SELECT FullPath, Size, CreationTime FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\%.exe'

Hunt Name: Find_Recent_Executables_In_User_Directories Query 2: Search for Recently Created Executables in User Directories

SELECT FullPath, CreationTime, Size FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\*.exe' AND CreationTime > now() - 86400

Hunt Name: Identify_Dangerous_File_Extensions Query 3: Detect Suspicious Attachments with Dangerous Extensions

SELECT FullPath FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\%.exe'

Hunt Name: Monitor_Temp_Directory_For_PDFs Query 4: Search for PDF Files in Temp Directory

SELECT FullPath, Size, CreationTime FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\%.pdf'

Hunt Name: Check_Temp_Folder_For_Office_Docs Query 5: Detect Office Documents in Temp Folders

SELECT FullPath, CreationTime, Size FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\%.docx'

2. Execution

2.1. Command and Scripting Interpreter: PowerShell (T1059.001)

Hunt Name: Detect_PowerShell_Execution Query 6: Identify PowerShell Executions

SELECT * FROM pslist()  WHERE name = 'powershell.exe' OR name = 'pwsh.exe'

Hunt Name: Find_Encoded_PowerShell_Commands Query 7: Detect PowerShell Commands with Encoded Scripts

SELECT * FROM pslist()  WHERE name = 'powershell.exe' AND command_line LIKE '%-enc%'

Hunt Name: Monitor_PowerShell_Scripts_In_Temp Query 8: Monitor PowerShell Scripts in Temp Directory

SELECT FullPath, Size, CreationTime FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\%.ps1

Hunt Name: Search_For_Suspicious_PowerShell_Modules Query 9: Search for Suspicious PowerShell Modules

SELECT * FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\Documents\\WindowsPowerShell\\Modules\\%'

Hunt Name: Detect_Recent_PowerShell_Executions Query 10: Identify Recent PowerShell Executions

SELECT * FROM pslist()  WHERE name = 'powershell.exe' AND CreationTime > now() - 86400

3. Persistence

3.1. Registry Run Keys / Startup Folder (T1547.001)

Hunt Name: Enumerate_Registry_Run_Keys Query 11: Enumerate Run Keys in Registry

SELECT Key, Value, Data FROM registry()  WHERE Key LIKE 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run%'

Hunt Name: Detect_Suspicious_Startup_Items Query 12: Detect Startup Items in User Profiles

SELECT FullPath, Size, CreationTime FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%'

Hunt Name: Search_For_Unusual_RunOnce_Keys Query 13: Search for Unusual RunOnce Keys

SELECT Key, Value, Data FROM registry()  WHERE Key LIKE 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce%'

Hunt Name: Monitor_Run_Key_Modifications Query 14: Monitor Run Key Modifications

SELECT Key, Value, Data FROM registry()  WHERE Key LIKE 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run%'

Hunt Name: Identify_Suspicious_Startup_Folder_Entries Query 15: Identify Suspicious Startup Folder Entries

SELECT FullPath FROM FileSystem  WHERE FullPath LIKE 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%'

4. Privilege Escalation

4.1. Process Injection (T1055)

Hunt Name: Detect_Remote_Thread_Creation Query 16: Detect Remote Thread Creation

SELECT * FROM Windows.Handles()  WHERE Type = 'Thread' AND GrantedAccess = 'CREATE_THREAD'

Hunt Name: Identify_Processes_With_Injected_Code Query 17: Identify Processes with Injected Code

SELECT * FROM Windows.Processes()  WHERE Injected = true

Hunt Name: Monitor_Suspicious_Memory_Regions Query 18: Monitor Processes with Suspicious Memory Regions

SELECT * FROM Windows.MemoryMap()  WHERE PrivateMemory = true AND Writable = true

Hunt Name: Detect_DLL_Injection_In_Processes Query 19: Search for Processes with DLL Injections

SELECT * FROM Windows.Processes()  WHERE DllInjected = true

Hunt Name: Monitor_Process_Handle_Operations Query 20: Identify Suspicious Process Handle Operations

 SELECT * FROM Windows.Handles()  WHERE Type = 'Process' AND GrantedAccess = 'ALL_ACCESS'

5. Defence Evasion

5.1. Obfuscated Files or Information (T1027)

Hunt Name: Detect_Base64_Encoded_PowerShell Query 21: Detect Base64 Encoded PowerShell Commands

SELECT * FROM pslist()  WHERE name = 'powershell.exe' AND command_line LIKE '%-encodedcommand%'

Hunt Name: Identify_Obfuscated_Scripts_In_Temp Query 22: Identify Suspicious Scripts in Temp Directory

SELECT FullPath, Size, CreationTime FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\%.vbs'

Hunt Name: Search_For_Encrypted_Scripts Query 23: Search for Encrypted Scripts

SELECT FullPath FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\Documents\\%.vbe'

Hunt Name: Monitor_Batch_Files_In_Temp Query 24: Monitor Obfuscated Batch Files

SELECT FullPath, Size, CreationTime FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\%.bat'

Hunt Name: Identify_XOR_Encrypted_Files Query 25: Identify XOR Encrypted Files

SELECT FullPath FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\Documents\\%.xor'

6. Credential Access

6.1. Credential Dumping: LSASS Memory (T1003.001)

Hunt Name: Search_For_LSASS_Memory_Dumps Query 26: Search for LSASS Memory Dumps

SELECT * FROM Windows.EventLogs.Application  WHERE ProviderName = 'Sysmon' AND EventID = 10 AND Image = 'lsass.exe'

Hunt Name: Monitor_LSASS_Process_Access Query 27: Monitor Access to LSASS Process

SELECT * FROM Windows.Handles()  WHERE ProcessName = 'lsass.exe' AND GrantedAccess = 'ALL_ACCESS'

Hunt Name: Identify_LSASS_Handle_Operations Query 28: Identify Processes with LSASS Handles

SELECT * FROM Windows.Processes()  WHERE name = 'lsass.exe' AND HasInjectedCode = true

Hunt Name: Detect_Tools_For_LSASS_Dumps Query 29: Detect Tools Known for LSASS Dumps

SELECT * FROM pslist()  WHERE name LIKE 'procdump%' OR name LIKE 'taskmanager%'

Hunt Name: Monitor_LSASS_Memory_Reads Query 30: Monitor Memory Reads from LSASS

  SELECT * FROM Windows.MemoryMap()  WHERE ProcessName = 'lsass.exe' AND Readable = true

7. Discovery

7.1. System Information Discovery (T1082)

Hunt Name: Identify_System_Info_Commands Query 31: Search for System Information Enumeration

SELECT * FROM pslist()  WHERE name = 'systeminfo.exe' OR name = 'hostname.exe'

Hunt Name: Monitor_Host_Information_Commands Query 32: Monitor Commands Gathering Host Information

SELECT * FROM pslist()  WHERE command_line LIKE '%hostname%' OR command_line LIKE '%whoami%'

Hunt Name: Identify_WMI_System_Info_Queries Query 33: Identify System Information Queries via WMI

SELECT * FROM Windows.WMI.Query  WHERE QueryText LIKE '%Win32_ComputerSystem%'

Hunt Name: Detect_AD_Enumeration Query 34: Detect Active Directory Enumeration

SELECT * FROM pslist()  WHERE name = 'dsquery.exe' OR name = 'net.exe'

Hunt Name: Monitor_WMIC_System_Commands Query 35: Monitor WMIC Commands for System Information

SELECT * FROM pslist()  WHERE name = 'wmic.exe' AND command_line LIKE '%computersystem%'

8. Lateral Movement

8.1. Remote Services: Remote Desktop Protocol (RDP) (T1021.001)

Hunt Name: Monitor_RDP_Logons Query 36: Monitor RDP Logons

SELECT * FROM Windows.EventLogs.Security  WHERE EventID = 4624 AND LogonType = 10

Hunt Name: Identify_RDP_Network_Sessions Query 37: Identify RDP Sessions Established via Network

SELECT * FROM Windows.Network.Connection  WHERE RemotePort = 3389 AND State = 'ESTABLISHED'

Hunt Name: Search_For_RDP_Config_Changes Query 38: Search for RDP Configuration Changes

SELECT Key, Value, Data FROM registry()  WHERE Key LIKE 'HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\%'

Hunt Name: Detect_RDP_Client_Use Query 39: Detect Use of RDP Client

SELECT * FROM pslist()  WHERE name = 'mstsc.exe'

Hunt Name: Monitor_Suspicious_RDP_File_Transfers Query 40: Monitor Suspicious RDP File Transfers

SELECT * FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\Documents\\RDP\\%'

9. Collection

9.1. Data from Local System (T1005)

Hunt Name: Identify_Access_To_Sensitive_Files Query 41: Identify Access to Sensitive Files

SELECT FullPath, Size, LastAccessTime FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\Documents\\%' AND LastAccessTime > now() - 86400

Hunt Name: Monitor_Copy_Operations_Of_Sensitive_Files Query 42: Monitor Copy Operations of Sensitive Files

SELECT * FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\Documents\\%' AND Operation = 'COPY'

Hunt Name: Detect_Archive_Files_With_Sensitive_Data Query 43: Detect Archive Files Containing Sensitive Data

SELECT FullPath, Size FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\Documents\\%.zip'

Hunt Name: Search_For_Encrypted_Archives Query 44: Search for Encrypted Archives

SELECT FullPath FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\Documents\\%.7z'

Hunt Name: Identify_Unauthorized_Data_Access Query 45: Identify Unauthorized Data Access Attempts

SELECT FullPath FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\Documents\\%' AND PermissionDenied = true

10. Command and Control

10.1. Command and Control: Web Protocols (T1071.001)

Hunt Name: Monitor_DNS_Queries_For_C2_Domains Query 46: Monitor DNS Queries for Known Malicious Domains

SELECT QueryName, QueryType FROM Windows.DNS.Queries  WHERE QueryName LIKE '%maliciousdomain.com%'

Hunt Name: Search_For_HTTP_S_Connections_To_C2 Query 47: Search for HTTP/S Connections to C2 Servers

SELECT * FROM Windows.Network.Connection  WHERE RemotePort = 80 OR RemotePort = 443

Hunt Name: Detect_Suspicious_HTTP_POST_Requests Query 48: Identify Suspicious HTTP POST Requests

SELECT * FROM Windows.Network.Connection  WHERE RemotePort = 80 AND Protocol = 'HTTP' AND Method = 'POST'

Hunt Name: Identify_Non_Standard_HTTP_Methods Query 49: Detect Non-Standard HTTP Methods

SELECT * FROM Windows.Network.Connection  WHERE RemotePort = 80 AND Method NOT IN ('GET', 'POST')

Hunt Name: Monitor_DNS_For_Known_C2_Patterns Query 50: Monitor DNS Traffic for Known C2 Patterns

SELECT QueryName, QueryType FROM Windows.DNS.Queries  WHERE QueryName LIKE '%cnc%'

11. Exfiltration

11.1. Exfiltration Over C2 Channel (T1041)

Hunt Name: Monitor_Large_Data_Transfers_To_External_IPs Query 51: Monitor Large Data Transfers to External IPs

SELECT * FROM Windows.Network.Connection  WHERE BytesSent > 10485760 AND RemoteAddress NOT LIKE '192.168.%'

Hunt Name: Search_For_Encrypted_Data_Exfiltration Query 52: Search for Encrypted Data Exfiltration

SELECT * FROM Windows.Network.Connection  WHERE Protocol = 'HTTPS' AND BytesSent > 10485760

Hunt Name: Detect_FTP_Uploads_To_External_Servers Query 53: Detect FTP Uploads to External Servers

SELECT * FROM Windows.Network.Connection  WHERE RemotePort = 21 AND State = 'ESTABLISHED'

Hunt Name: Identify_ICMP_Tunneling_Attempts Query 54: Identify ICMP Tunneling Attempts

SELECT * FROM Windows.Network.Icmp  WHERE MessageType = 8 AND MessageCode = 0

Hunt Name: Monitor_SFTP_Transfers_To_Untrusted_Servers Query 55: Monitor SFTP Transfers to Untrusted Servers

SELECT * FROM Windows.Network.Connection  WHERE RemotePort = 22 AND State = 'ESTABLISHED'

12. Impact

12.1. Inhibit System Recovery: Disable or Modify Tools (T1490)

Hunt Name: Monitor_Volume_Shadow_Copy_Deletion Query 56: Monitor Volume Shadow Copy Deletion

SELECT * FROM Windows.EventLogs.Application  WHERE ProviderName = 'VSS' AND EventID = 8194

Hunt Name: Search_For_Commands_Disabling_Recovery Query 57: Search for Commands Disabling System Recovery

SELECT * FROM pslist()  WHERE command_line LIKE '%vssadmin delete shadows%'

Hunt Name: Detect_System_Restore_Point_Deletion Query 58: Detect System Restore Point Deletion

SELECT * FROM Windows.EventLogs.System  WHERE EventID = 103 AND SourceName = 'System Restore'

Hunt Name: Monitor_Registry_Changes_Disabling_Backups Query 59: Monitor Registry Changes Disabling Backup Features

SELECT Key, Value, Data FROM registry()  WHERE Key LIKE 'HKLM\\System\\CurrentControlSet\\Services\\VSS\\Start'

Hunt Name: Search_For_Disabled_Windows_Recovery Query 60: Search for Disabling Windows Recovery Options

SELECT * FROM Windows.Registry.KeyValue  WHERE KeyPath = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute'  AND Data != 'autocheck autochk *'

13. Execution (Continued)

13.1. User Execution: Malicious File (T1204.002)

Hunt Name: Identify_Unsigned_Executable_Execution Query 61: Identify Execution of Unsigned Executables

SELECT * FROM pslist()  WHERE name LIKE '%.exe' AND Signed = false

Hunt Name: Search_For_Execution_Of_Recent_Downloads Query 62: Search for Execution of Recently Downloaded Files

SELECT * FROM pslist()  WHERE name LIKE '%.exe' AND CreationTime > now() - 86400

Hunt Name: Monitor_Script_Execution_From_User_Folders Query 63: Monitor Execution of Scripts from User Folders

SELECT * FROM pslist()  WHERE name LIKE '%.vbs' OR name LIKE '%.js'

Hunt Name: Detect_Execution_Of_Suspicious_Extensions Query 64: Detect Execution of Files with Suspicious Extensions

SELECT * FROM pslist()  WHERE name LIKE '%.scr' OR name LIKE '%.cpl'

Hunt Name: Identify_Execution_From_Temp_Directories Query 65: Identify Execution of Files from Temp Directories

SELECT * FROM pslist()  WHERE command_line LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\%'

14. Persistence (Continued)

14.1. Boot or Logon Autostart Execution: Registry Run Keys (T1547.001)

Hunt Name: Identify_Registry_Autostart_Entries Query 66: Identify Autostart Entries in Registry

SELECT Key, Value, Data FROM registry()  WHERE Key LIKE 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run%'

Hunt Name: Monitor_RunOnce_Key_Changes Query 67: Monitor Changes to RunOnce Keys

SELECT Key, Value, Data FROM registry()  WHERE Key LIKE 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce%'

Hunt Name: Detect_New_Startup_Registry_Entries Query 68: Detect New Startup Items in Registry

SELECT * FROM registry()  WHERE Key LIKE 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run%'  AND Value NOT IN (SELECT Value FROM registry_previous)

Hunt Name: Search_For_Persistence_Via_Winlogon_Keys Query 69: Search for Persistence via Winlogon Keys

SELECT * FROM registry()  WHERE Key LIKE 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\%'

Hunt Name: Monitor_Registry_Entries_For_Suspicious_Executables Query 70: Monitor Registry Entries for Suspicious Executables

SELECT Key, Value, Data FROM registry()  WHERE Data LIKE '%.exe' AND (Key LIKE 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run%'  OR Key LIKE 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run%')

15. Defence Evasion (Continued)

15.1. Process Injection: Process Hollowing (T1055.012)

Hunt Name: Detect_Process_Hollowing_Indicators Query 71: Monitor for Suspicious Process Hollowing Indicators

SELECT * FROM Windows.Processes()  WHERE CommandLine LIKE '%svchost.exe%' AND ParentProcessName != 'services.exe'`

Hunt Name: Search_For_Inconsistencies_In_Memory_Allocation Query 72: Search for Inconsistencies in Memory Allocation

SELECT * FROM Windows.MemoryMap()  WHERE ProcessName = 'svchost.exe' AND (MemoryMapped = false OR Writable = true)

Hunt Name: Detect_Unusual_Parent_Child_Process_Relationships Query 73: Detect Unusual Parent-Child Process Relationships

SELECT * FROM Windows.Processes()  WHERE ParentProcessName NOT IN ('explorer.exe', 'services.exe')  AND ProcessName LIKE '%svchost.exe%'

Hunt Name: Monitor_Process_Creation_With_Suspicious_Flags Query 74: Monitor for Process Creation with Suspicious Flags

SELECT * FROM Windows.Processes()  WHERE CreationFlags & 0x00000004 != 0

Hunt Name: Search_For_Hollowed_Process_Memory_Regions Query 75: Search for Processes with Hollowed Memory Regions

SELECT * FROM Windows.MemoryMap()  WHERE PrivateMemory = true AND Writable = true AND Executable = true

16. Credential Access (Continued)

16.1. OS Credential Dumping: NTDS (T1003.003)

Hunt Name: Search_For_NTDS_dit_Access_Attempts Query 76: Search for NTDS.dit Access Attempts

SELECT * FROM FileSystem  WHERE FullPath LIKE 'C:\\Windows\\NTDS\\ntds.dit'

Hunt Name: Monitor_NTDS_dit_Copy_Operations Query 77: Monitor for NTDS.dit Copy Operations

SELECT * FROM Windows.EventLogs.Security  WHERE EventID = 4663 AND ObjectName LIKE 'C:\\Windows\\NTDS\\ntds.dit'

Hunt Name: Detect_NTDS_dit_Access_Via_VSSAdmin Query 78: Detect NTDS.dit Access via VSSAdmin

SELECT * FROM pslist()  WHERE name = 'vssadmin.exe' AND command_line LIKE '%create shadow%'

Hunt Name: Search_For_NTDS_dit_In_VSS_Snapshots Query 79: Search for NTDS.dit in VSS Snapshots

SELECT * FROM FileSystem  WHERE FullPath LIKE 'C:\\Windows\\NTDS\\ntds.dit' AND IsInShadowCopy = true

Hunt Name: Monitor_NTDS_dit_Access_By_Non_System_Processes Query 80: Monitor NTDS.dit Access by Non-System Processes

SELECT * FROM Windows.Processes()  WHERE name = 'ntds.dit' AND ParentProcessName NOT IN ('lsass.exe', 'services.exe')

17. Discovery (Continued)

17.1. File and Directory Discovery (T1083)

Hunt Name: Identify_File_And_Directory_Enumeration_Commands Query 81: Identify Commands Enumerating Files or Directories

SELECT * FROM pslist()  WHERE command_line LIKE '%dir%' OR command_line LIKE '%ls%'

Hunt Name: Monitor_File_Listings_In_User_Folders Query 82: Monitor File Listing Commands in User Folders

SELECT * FROM pslist()  WHERE command_line LIKE '%dir%' AND command_line LIKE 'C:\\Users\\%'

Hunt Name: Search_For_Commands_Accessing_Hidden_Directories Query 83: Search for Commands Accessing Hidden Directories

SELECT * FROM pslist()  WHERE command_line LIKE '%dir%' AND command_line LIKE '%/A:H%'

Hunt Name: Detect_Listing_Of_System_Files Query 84: Detect Listing of System Files

SELECT * FROM pslist()  WHERE command_line LIKE '%dir%' AND command_line LIKE 'C:\\Windows\\%'

Hunt Name: Monitor_Recursive_File_Listings Query 85: Monitor Recursive File Listings

SELECT * FROM pslist()  WHERE command_line LIKE '%dir /S%'

18. Lateral Movement (Continued)

18.1. Pass the Hash (T1550.002)

Hunt Name: Monitor_LSASS_For_Credential_Extraction Query 86: Monitor LSASS for Credential Extraction

SELECT * FROM pslist()  WHERE name = 'mimikatz.exe' OR command_line LIKE '%sekurlsa::pth%'

Hunt Name: Search_For_Suspicious_Logon_Attempts_Using_Hashes Query 87: Search for Suspicious Logon Attempts Using Hashes

 SELECT * FROM Windows.EventLogs.Security  WHERE EventID = 4624 AND LogonType = 9

Hunt Name: Detect_Abnormal_SMB_Logon_Attempts Query 88: Detect Abnormal SMB Logon Attempts

SELECT * FROM Windows.EventLogs.Security  WHERE EventID = 4624 AND LogonType = 3 AND AccountName NOT IN (SELECT AccountName FROM UserAccounts)

Hunt Name: Search_For_Lateral_Movement_Using_Cached_Credentials Query 89: Search for Lateral Movement Using Cached Credentials

SELECT * FROM Windows.EventLogs.Security  WHERE EventID = 4624 AND LogonType = 5

Hunt Name: Monitor_Logon_Sessions_From_Unusual_Sources Query 90: Monitor Logon Sessions Originating from Unusual Sources

SELECT * FROM Windows.EventLogs.Security  WHERE EventID = 4624 AND LogonType = 2 AND SourceAddress NOT LIKE '192.168.%'

19. Collection (Continued)

19.1. Screen Capture (T1113)

Hunt Name: Search_For_Screen_Capture_Tools Query 91: Search for Screen Capture Tools

SELECT * FROM pslist()  WHERE name LIKE '%snippingtool%' OR name LIKE '%screenshot%'

Hunt Name: Monitor_Output_Files_From_Screen_Capture_Tools Query 92: Monitor Output Files from Screen Capture Tools

SELECT FullPath, Size FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\Pictures\\Screenshots\\%'

Hunt Name: Detect_Use_Of_Built_In_Screenshot_Tools Query 93: Detect Use of Built-in Screenshot Tools

SELECT * FROM pslist()  WHERE name LIKE '%Snip%'

Hunt Name: Identify_Screen_Capture_Commands Query 94: Identify Screen Capture Commands

SELECT * FROM pslist()  WHERE command_line LIKE '%screencapture%' OR command_line LIKE '%scrot%'

Hunt Name: Monitor_Image_Files_Created_In_Temp_Folders Query 95: Monitor Creation of Image Files in Temp Folders

SELECT FullPath, Size, CreationTime FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\%.png'  OR FullPath LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\%.jpg'

20. Impact (Continued)

20.1. Data Encrypted for Impact (T1486)

Hunt Name: Monitor_Unusual_File_Modifications Query 96: Monitor Unusual File Modifications Indicating Encryption

SELECT FullPath, Size, LastWriteTime FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\Documents\\%' AND Extension IN ('.encrypted', '.locked')

Hunt Name: Search_For_Known_Ransomware_Signatures Query 97: Search for Known Ransomware Signatures

SELECT * FROM Windows.EventLogs.Application  WHERE ProviderName = 'Symantec' AND Message LIKE '%Ransomware%'

Hunt Name: Detect_Sudden_Increase_In_File_Modifications Query 98: Detect Sudden Increase in File Modifications

SELECT * FROM Windows.EventLogs.Security  WHERE EventID = 4663 AND ObjectName LIKE 'C:\\Users\\%\\Documents\\%'  AND ObjectType = 'File' AND AccessMask = 'WRITE'

Hunt Name: Monitor_Creation_Of_Ransom_Notes Query 99: Monitor Creation of Ransom Notes

SELECT FullPath, Size, CreationTime FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\Documents\\RansomwareNote.txt'

Hunt Name: Identify_Ransomware_Processes Query 100: Identify Ransomware Processes

SELECT * FROM pslist()  WHERE name LIKE 'ransomware%'