查寻勒索软件

备注

希望体验 Microsoft 365 Defender? 详细了解如何评估和试点Microsoft 365 Defender

适用于:

  • Microsoft 365 Defender

勒索软件已迅速从影响单个计算机用户的简单商品恶意软件演变为严重影响行业和政府机构的企业威胁。 虽然Microsoft 365 Defender提供了许多用于检测和阻止勒索软件和关联入侵活动的功能,但对泄露迹象执行主动检查有助于保护网络。

阅读有关人工操作勒索软件的信息

借Microsoft 365 Defender高级搜寻,可以创建查询来查找与勒索软件活动关联的各个项目。 还可以运行更复杂的查询,这些查询可以查找活动迹象并权衡这些标志,以查找需要立即注意的设备。

勒索软件活动的迹象

Microsoft 安全研究人员在由复杂入侵者发起的许多勒索软件活动中观察到各种常见但微妙的项目。 这些迹象主要涉及使用系统工具准备加密、防止检测和清除法医证据。

勒索软件活动 常用工具 Intent
停止进程 taskkill.exe净停止 确保针对加密的文件不会被各种应用程序锁定。
关闭服务 sc.exe - 确保针对加密的文件不会被各种应用程序锁定。
- 防止安全软件中断加密和其他勒索软件活动。
- 停止备份软件创建可恢复的副本。
删除日志和文件 cipher.exewevtutilfsutil.exe 删除法医证据。
删除卷影副本 vsadmin.exewmic.exe 删除可用于恢复加密文件的驱动器卷影副本。
删除和停止备份 wbadmin.exe 删除现有备份并停止计划的备份任务,阻止加密后恢复。
修改启动设置 bcdedit.exe 在启动失败后关闭由加密过程导致的警告和自动修复。
关闭恢复工具 schtasks.exeregedit.exe 关闭系统还原和其他系统恢复选项。

检查勒索软件活动的各个迹象

构成勒索软件行为的许多活动(包括上一部分所述的活动)可能是良性的。 使用以下查询查找勒索软件时,运行多个查询以检查同一设备是否存在各种可能的勒索软件活动迹象。

使用 taskkill.exe 停止多个进程

此查询检查是否尝试使用taskkill.exe实用工具停止至少 10 单独的进程。 运行查询

// Find attempts to stop processes using taskkill.exe
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "taskkill.exe" 
| summarize taskKillCount = dcount(ProcessCommandLine), TaskKillList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
| where taskKillCount > 10

使用 净停止 停止进程

此查询检查是否尝试使用 Net stop 命令停止至少 10 个单独的进程。 运行查询

// Find attempts to stop processes using net stop
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "net.exe" and ProcessCommandLine has "stop"
| summarize netStopCount = dcount(ProcessCommandLine), NetStopList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
| where netStopCount > 10

使用 cipher.exe 删除多个驱动器上的数据

此查询检查是否尝试使用 cipher.exe 删除多个驱动器上的数据。 此活动通常由勒索软件完成,以防止在加密后恢复数据。 运行查询

// Look for cipher.exe deleting data from multiple drives
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "cipher.exe" 
// cipher.exe /w flag used for deleting data 
| where ProcessCommandLine has "/w" 
| summarize CipherCount = dcount(ProcessCommandLine),
CipherList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m) 
// cipher.exe accessing multiple drives in a short timeframe 
| where CipherCount > 1

使用 wevtutil 清除事件日志中的法医证据

此查询检查是否尝试使用 wevtutil 从事件日志中清除至少 10 个日志条目。 运行查询

// Look for use of wevtutil to clear multiple logs
DeviceProcessEvents
| where Timestamp > ago(1d)
| where ProcessCommandLine has "WEVTUTIL" and ProcessCommandLine has "CL"
| summarize LogClearCount = dcount(ProcessCommandLine), ClearedLogList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where LogClearCount > 10

使用 sc.exe 关闭服务

此查询检查是否尝试使用 sc.exe 关闭至少 10 个现有服务。 运行查询

// Look for sc.exe disabling services
DeviceProcessEvents
| where Timestamp > ago(1d)
| where ProcessCommandLine has "sc" and ProcessCommandLine has "config" and ProcessCommandLine has "disabled"
| summarize ScDisableCount = dcount(ProcessCommandLine), ScDisableList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where ScDisableCount > 10

关闭系统还原

此查询标识阻止系统还原和阻止系统创建还原点的尝试,该还原点可用于恢复勒索软件加密的数据。 运行查询

DeviceProcessEvents
//Pivoting for rundll32  
| where InitiatingProcessFileName =~ 'rundll32.exe'   
//Looking for empty command line   
and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != ""  
//Looking for schtasks.exe as the created process  
and FileName in~ ('schtasks.exe')  
//Disabling system restore   
and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore' 
and ProcessCommandLine has 'disable'

备份删除

此查询标识使用 wmic.exe 在加密之前删除卷影复制快照。 运行查询

DeviceProcessEvents
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete"
| project DeviceId, Timestamp, InitiatingProcessFileName, FileName,
ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFileName

检查勒索软件活动的多个迹象

你还可以使用一个全面的查询来检查勒索软件活动的多个迹象,以识别受影响的设备,而不是单独运行多个查询。 以下合并查询:

  • 查找勒索软件活动的相对具体和微妙的迹象
  • 权衡这些迹象的存在
  • 标识具有较高机会成为勒索软件目标的设备

运行时,此合并查询将返回显示多个攻击迹象的设备列表。 还会显示每种类型的勒索软件活动的计数。 若要运行此合并查询,请将其直接复制到 高级搜寻查询编辑器

// Find attempts to stop processes using taskkill.exe
let taskKill = DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "taskkill.exe" 
| summarize taskKillCount = dcount(ProcessCommandLine), TaskKillList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
| where taskKillCount > 10;
// Find attempts to stop processes using net stop
let netStop = DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "net.exe" and ProcessCommandLine has "stop"
| summarize netStopCount = dcount(ProcessCommandLine), NetStopList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
| where netStopCount > 10;
// Look for cipher.exe deleting data from multiple drives
let cipher = DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "cipher.exe" 
// cipher.exe /w flag used for deleting data 
| where ProcessCommandLine has "/w" 
| summarize CipherCount = dcount(ProcessCommandLine), 
CipherList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m) 
// cipher.exe accessing multiple drives in a short timeframe 
| where CipherCount > 1;
// Look for use of wevtutil to clear multiple logs
let wevtutilClear = DeviceProcessEvents
| where Timestamp > ago(1d)
| where ProcessCommandLine has "WEVTUTIL" and ProcessCommandLine has "CL"
| summarize LogClearCount = dcount(ProcessCommandLine), ClearedLogList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where LogClearCount > 10;
// Look for sc.exe disabling services
let scDisable = DeviceProcessEvents
| where Timestamp > ago(1d)
| where ProcessCommandLine has "sc" and ProcessCommandLine has "config" and ProcessCommandLine has "disabled"
| summarize ScDisableCount = dcount(ProcessCommandLine), ScDisableList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where ScDisableCount > 10;
// Main query for counting and aggregating evidence
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "vssadmin.exe" and ProcessCommandLine has_any("list shadows", "delete shadows")
or FileName =~ "fsutil.exe" and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal"
or ProcessCommandLine has("bcdedit") and ProcessCommandLine has_any("recoveryenabled no", "bootstatuspolicy ignoreallfailures")
or ProcessCommandLine has "wbadmin" and ProcessCommandLine has "delete" and ProcessCommandLine has_any("backup", "catalog", "systemstatebackup")
or (ProcessCommandLine has "wevtutil" and ProcessCommandLine has "cl") 
or (ProcessCommandLine has "wmic" and ProcessCommandLine has "shadowcopy delete")
or (ProcessCommandLine has "sc" and ProcessCommandLine has "config" and ProcessCommandLine has "disabled")
| extend Bcdedit = iff(ProcessCommandLine has "bcdedit" and ProcessCommandLine has_any("recoveryenabled no", "bootstatuspolicy ignoreallfailures"), 1, 0)
| extend ShadowCopyDelete = iff (ProcessCommandLine has "shadowcopy delete", 1, 0)
| extend VssAdminShadows = iff(ProcessCommandLine has "vssadmin" and ProcessCommandLine has_any("list shadows", "delete shadows"), 1, 0)
| extend Wbadmin = iff(ProcessCommandLine has "wbadmin" and ProcessCommandLine has "delete" and ProcessCommandLine has_any("backup", "catalog", "systemstatebackup"), 1,0)
| extend Fsutil = iff(ProcessCommandLine has "fsutil" and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal", 1, 0)
| summarize FirstActivity = min(Timestamp), ReportId = any(ReportId), Commands = make_set(ProcessCommandLine) by DeviceId, Fsutil, Wbadmin, ShadowCopyDelete, Bcdedit, VssAdminShadows, bin(Timestamp, 6h)
// Joining extra evidence
| join kind=leftouter (wevtutilClear) on $left.DeviceId == $right.DeviceId
| join kind=leftouter (cipher) on $left.DeviceId == $right.DeviceId
| join kind=leftouter (netStop) on $left.DeviceId == $right.DeviceId
| join kind=leftouter (taskKill) on $left.DeviceId == $right.DeviceId
| join kind=leftouter (scDisable) on $left.DeviceId == $right.DeviceId
| extend WevtutilUse = iff(LogClearCount > 10, 1, 0)
| extend CipherUse = iff(CipherCount > 1, 1, 0)
| extend NetStopUse = iff(netStopCount > 10, 1, 0)
| extend TaskkillUse = iff(taskKillCount > 10, 1, 0)
| extend ScDisableUse = iff(ScDisableCount > 10, 1, 0)
// Adding up all evidence
| mv-expand CommandList = NetStopList, TaskKillList, ClearedLogList, CipherList, Commands, ScDisableList
// Format results
| summarize BcdEdit = iff(make_set(Bcdedit) contains "1" , 1, 0), NetStop10PlusCommands = iff(make_set(NetStopUse) contains "1", 1, 0), Wevtutil10PlusLogsCleared = iff(make_set(WevtutilUse) contains "1", 1, 0),
CipherMultipleDrives = iff(make_set(CipherUse) contains "1", 1, 0), Fsutil = iff(make_set(Fsutil) contains "1", 1, 0), ShadowCopyDelete = iff(make_set(ShadowCopyDelete) contains "1", 1, 0),
Wbadmin = iff(make_set(Wbadmin) contains "1", 1, 0), TaskKill10PlusCommand = iff(make_set(TaskkillUse) contains "1", 1, 0), VssAdminShadow = iff(make_set(VssAdminShadows) contains "1", 1, 0), 
ScDisable = iff(make_set(ScDisableUse) contains "1", 1, 0), TotalEvidenceCount = count(CommandList), EvidenceList = make_set(Commands), StartofBehavior = min(FirstActivity) by DeviceId, bin(Timestamp, 1d)
| extend UniqueEvidenceCount = BcdEdit + NetStop10PlusCommands + Wevtutil10PlusLogsCleared + CipherMultipleDrives + Wbadmin + Fsutil + TaskKill10PlusCommand + VssAdminShadow + ScDisable + ShadowCopyDelete
| where UniqueEvidenceCount > 2

了解并调整查询结果

合并查询返回以下结果:

  • DeviceId - 标识受影响的设备
  • TimeStamp - 首次在设备上观察到任何勒索软件活动的迹象
  • 特定的活动迹象 - 多个列中显示的每个符号的计数,例如 BcdEditFsUtil
  • TotalEvidenceCount - 观察到的符号数
  • UniqueEvidenceCount - 观察到的符号类型数

Microsoft 365 Defender门户中勒索软件活动的合并查询示例

显示受影响的设备和各种勒索软件活动迹象计数的查询结果

默认情况下,查询结果仅列出具有两种以上类型的勒索软件活动的设备。 若要查看具有任何勒索软件活动符号的所有设备,请修改以下 where 运算符并将数字设置为零 (0) 。 若要查看更少的设备,请设置更高的数字。

| where UniqueEvidenceCount > 2

更多勒索软件资源

来自 Microsoft 的关键信息:

Microsoft 365:

Microsoft Azure:

Microsoft Defender for Cloud Apps:

Microsoft 安全团队博客文章: