|
| 1 | +# Detect DoppelPaymer performing reconnaissance with net.exe |
| 2 | + |
| 3 | +This query was originally published in the threat analytics report, *Doppelpaymer: More human-operated ransomware*. There is also a related [blog](https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/). |
| 4 | + |
| 5 | +[DoppelPaymer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372) is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they may use *net.exe* to run reconnaissance and find service accounts to target. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization. |
| 6 | + |
| 7 | +The following query detects the *net.exe* reconnaissance method described above. |
| 8 | + |
| 9 | +The [See also](#See-also) section below lists links to other queries associated with DoppelPaymer. |
| 10 | + |
| 11 | +## Query |
| 12 | + |
| 13 | +```Kusto |
| 14 | +// Finds Net commands used to locate high-value accounts |
| 15 | +DeviceProcessEvents |
| 16 | +| where Timestamp > ago(7d) |
| 17 | +| where FileName == "net.exe" |
| 18 | +// Create a set for the command lines |
| 19 | +| summarize makeset(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m) |
| 20 | +// Other process launches by Net in that same timeframe |
| 21 | +| where (set_ProcessCommandLine has "admin" |
| 22 | +and set_ProcessCommandLine has_any("domain", "enterprise", "backup operators")) |
| 23 | +and set_ProcessCommandLine has "group" and set_ProcessCommandLine contains "/do" |
| 24 | +``` |
| 25 | + |
| 26 | +## Category |
| 27 | + |
| 28 | +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. |
| 29 | + |
| 30 | +| Technique, tactic, or state | Covered? (v=yes) | Notes | |
| 31 | +|-|-|-| |
| 32 | +| Initial access | | | |
| 33 | +| Execution | | | |
| 34 | +| Persistence | | | |
| 35 | +| Privilege escalation | | | |
| 36 | +| Defense evasion | | | |
| 37 | +| Credential Access | | | |
| 38 | +| Discovery | v | | |
| 39 | +| Lateral movement | v | | |
| 40 | +| Collection | | | |
| 41 | +| Command and control | | | |
| 42 | +| Exfiltration | | | |
| 43 | +| Impact | | | |
| 44 | +| Vulnerability | | | |
| 45 | +| Misconfiguration | | | |
| 46 | +| Malware, component | | | |
| 47 | + |
| 48 | +## See also |
| 49 | + |
| 50 | +* [Detect DoppelPaymer operators spreading files with PsExec](../Lateral%20Movement/doppelpaymer-psexec.md) |
| 51 | +* [Detect DoppelPaymer operators stopping services](../Defense%20evasion/doppelpaymer-stop-services.md) |
| 52 | +* [Detect DoppelPaymer operators dumping credentials with ProcDump](../Credential%20Access/doppelpaymer-procdump.md) |
| 53 | + |
| 54 | +## Contributor info |
| 55 | + |
| 56 | +**Contributor:** Microsoft Threat Protection team |
0 commit comments