共用方式為


搜捕勒索軟體

適用於:

  • Microsoft Defender XDR

勒索軟體從影響個別計算機用戶的簡單商品惡意代碼快速演進,成為嚴重影響產業和政府機構的企業威脅。 雖然 Microsoft Defender 全面偵測回應 提供許多功能來偵測和封鎖勒索軟體和相關聯的入侵活動,但針對入侵徵兆執行主動式檢查有助於保護您的網路。

瞭解人為操作的勒索軟體

使用 Microsoft Defender 全面偵測回應 中的進階搜捕,您可以建立查詢來找出與勒索軟體活動相關聯的個別成品。 您也可以執行更複雜的查詢,以尋找活動徵兆並權衡這些徵兆,以尋找需要立即注意的裝置。

勒索軟體活動的徵兆

Microsoft 安全性研究人員在許多由複雜入侵者所啟動的勒索軟體活動中觀察到各種常見但細微的成品。 這些符號大多牽涉到使用系統工具來準備加密、防止偵測,以及清除鑑識辨識項。

勒索軟體活動 一般工具 Intent
停止進程 taskkill.exe,net stop 確保各種應用程式不會鎖定以加密為目標的檔案。
關閉服務 sc.exe - 確保各種應用程式不會鎖定以加密為目標的檔案。
- 防止安全性軟體中斷加密和其他勒索軟體活動。
- 停止備份軟體建立可復原的複本。
刪除記錄和檔案 cipher.exewevtutilfsutil.exe 拿掉鑑識辨識項。
刪除陰影複製 vsadmin.exewmic.exe 拿掉可用來復原加密檔案的磁碟驅動器陰影複製。
刪除和停止備份 wbadmin.exe 刪除現有的備份並停止排程的備份工作,防止加密后復原。
修改開機設定 bcdedit.exe 關閉加密程式可能造成的開機失敗之後的警告和自動修復。
關閉復原工具 schtasks.exeregedit.exe 關閉 [系統還原] 和其他系統復原選項。

檢查勒索軟體活動的個別徵兆

構成勒索軟體行為的許多活動,包括上一節所述的活動,可能是良性的。 使用下列查詢尋找勒索軟體時,請執行多個查詢來檢查相同的裝置是否呈現各種可能勒索軟體活動徵兆。

使用 taskkill.exe 停止多個進程

此查詢會檢查是否嘗試使用taskkill.exe公用程式停止至少10 個不同的 進程。 執行查詢

// Find attempts to stop processes using taskkill.exe
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "taskkill.exe" 
| summarize taskKillCount = dcount(ProcessCommandLine), TaskKillList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
| where taskKillCount > 10

使用 net stop 停止進程

此查詢會檢查是否嘗試使用 net stop 命令停止至少 10 個不同的進程。 執行查詢

// Find attempts to stop processes using net stop
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "net.exe" and ProcessCommandLine has "stop"
| summarize netStopCount = dcount(ProcessCommandLine), NetStopList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
| where netStopCount > 10

使用cipher.exe 刪除多個磁碟驅動器上的數據

此查詢會檢查是否嘗試使用 cipher.exe刪除多個磁碟驅動器上的數據。 勒索軟體通常會執行此活動,以防止在加密后復原數據。 執行查詢

// Look for cipher.exe deleting data from multiple drives
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "cipher.exe" 
// cipher.exe /w flag used for deleting data 
| where ProcessCommandLine has "/w" 
| summarize CipherCount = dcount(ProcessCommandLine),
CipherList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m) 
// cipher.exe accessing multiple drives in a short timeframe 
| where CipherCount > 1

使用 wevtutil 從事件記錄檔中清除鑑識辨識辨識項

此查詢會檢查是否嘗試使用 wevtutil 從事件記錄檔中清除至少 10 個記錄專案。 執行查詢

// Look for use of wevtutil to clear multiple logs
DeviceProcessEvents
| where Timestamp > ago(1d)
| where ProcessCommandLine has "WEVTUTIL" and ProcessCommandLine has "CL"
| summarize LogClearCount = dcount(ProcessCommandLine), ClearedLogList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where LogClearCount > 10

使用 sc.exe 關閉服務

此查詢會檢查是否嘗試使用sc.exe關閉至少10 現有的服務。 執行查詢

// Look for sc.exe disabling services
DeviceProcessEvents
| where Timestamp > ago(1d)
| where ProcessCommandLine has "sc" and ProcessCommandLine has "config" and ProcessCommandLine has "disabled"
| summarize ScDisableCount = dcount(ProcessCommandLine), ScDisableList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where ScDisableCount > 10

關閉系統還原

此查詢會識別停止系統還原並防止系統建立還原點的嘗試,其可用來復原勒索軟體所加密的數據。 執行查詢

DeviceProcessEvents
//Pivoting for rundll32  
| where InitiatingProcessFileName =~ 'rundll32.exe'   
//Looking for empty command line   
and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != ""  
//Looking for schtasks.exe as the created process  
and FileName in~ ('schtasks.exe')  
//Disabling system restore   
and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore' 
and ProcessCommandLine has 'disable'

備份刪除

此查詢會識別在加密之前使用 wmic.exe 刪除陰影複製快照集。 執行查詢

DeviceProcessEvents
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete"
| project DeviceId, Timestamp, InitiatingProcessFileName, FileName,
ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFileName

檢查勒索軟體活動的多個徵兆

除了個別執行數個查詢,您也可以使用完整的查詢來檢查勒索軟體活動的多個徵兆,以識別受影響的裝置。 下列合併查詢:

  • 同時尋找勒索軟體活動的相對具體和細微徵兆
  • 權衡這些符號是否存在
  • 識別有較高機率成為勒索軟體目標的裝置

執行時,此合併查詢會傳回已呈現多個攻擊徵兆的裝置清單。 也會顯示每種勒索軟體活動的計數。 若要執行此合併查詢,請將它直接複製到 進階搜捕查詢編輯器

// Find attempts to stop processes using taskkill.exe
let taskKill = DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "taskkill.exe" 
| summarize taskKillCount = dcount(ProcessCommandLine), TaskKillList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
| where taskKillCount > 10;
// Find attempts to stop processes using net stop
let netStop = DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "net.exe" and ProcessCommandLine has "stop"
| summarize netStopCount = dcount(ProcessCommandLine), NetStopList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
| where netStopCount > 10;
// Look for cipher.exe deleting data from multiple drives
let cipher = DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "cipher.exe" 
// cipher.exe /w flag used for deleting data 
| where ProcessCommandLine has "/w" 
| summarize CipherCount = dcount(ProcessCommandLine), 
CipherList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m) 
// cipher.exe accessing multiple drives in a short timeframe 
| where CipherCount > 1;
// Look for use of wevtutil to clear multiple logs
let wevtutilClear = DeviceProcessEvents
| where Timestamp > ago(1d)
| where ProcessCommandLine has "WEVTUTIL" and ProcessCommandLine has "CL"
| summarize LogClearCount = dcount(ProcessCommandLine), ClearedLogList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where LogClearCount > 10;
// Look for sc.exe disabling services
let scDisable = DeviceProcessEvents
| where Timestamp > ago(1d)
| where ProcessCommandLine has "sc" and ProcessCommandLine has "config" and ProcessCommandLine has "disabled"
| summarize ScDisableCount = dcount(ProcessCommandLine), ScDisableList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where ScDisableCount > 10;
// Main query for counting and aggregating evidence
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "vssadmin.exe" and ProcessCommandLine has_any("list shadows", "delete shadows")
or FileName =~ "fsutil.exe" and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal"
or ProcessCommandLine has("bcdedit") and ProcessCommandLine has_any("recoveryenabled no", "bootstatuspolicy ignoreallfailures")
or ProcessCommandLine has "wbadmin" and ProcessCommandLine has "delete" and ProcessCommandLine has_any("backup", "catalog", "systemstatebackup")
or (ProcessCommandLine has "wevtutil" and ProcessCommandLine has "cl") 
or (ProcessCommandLine has "wmic" and ProcessCommandLine has "shadowcopy delete")
or (ProcessCommandLine has "sc" and ProcessCommandLine has "config" and ProcessCommandLine has "disabled")
| extend Bcdedit = iff(ProcessCommandLine has "bcdedit" and ProcessCommandLine has_any("recoveryenabled no", "bootstatuspolicy ignoreallfailures"), 1, 0)
| extend ShadowCopyDelete = iff (ProcessCommandLine has "shadowcopy delete", 1, 0)
| extend VssAdminShadows = iff(ProcessCommandLine has "vssadmin" and ProcessCommandLine has_any("list shadows", "delete shadows"), 1, 0)
| extend Wbadmin = iff(ProcessCommandLine has "wbadmin" and ProcessCommandLine has "delete" and ProcessCommandLine has_any("backup", "catalog", "systemstatebackup"), 1,0)
| extend Fsutil = iff(ProcessCommandLine has "fsutil" and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal", 1, 0)
| summarize FirstActivity = min(Timestamp), ReportId = any(ReportId), Commands = make_set(ProcessCommandLine) by DeviceId, Fsutil, Wbadmin, ShadowCopyDelete, Bcdedit, VssAdminShadows, bin(Timestamp, 6h)
// Joining extra evidence
| join kind=leftouter (wevtutilClear) on $left.DeviceId == $right.DeviceId
| join kind=leftouter (cipher) on $left.DeviceId == $right.DeviceId
| join kind=leftouter (netStop) on $left.DeviceId == $right.DeviceId
| join kind=leftouter (taskKill) on $left.DeviceId == $right.DeviceId
| join kind=leftouter (scDisable) on $left.DeviceId == $right.DeviceId
| extend WevtutilUse = iff(LogClearCount > 10, 1, 0)
| extend CipherUse = iff(CipherCount > 1, 1, 0)
| extend NetStopUse = iff(netStopCount > 10, 1, 0)
| extend TaskkillUse = iff(taskKillCount > 10, 1, 0)
| extend ScDisableUse = iff(ScDisableCount > 10, 1, 0)
// Adding up all evidence
| mv-expand CommandList = NetStopList, TaskKillList, ClearedLogList, CipherList, Commands, ScDisableList
// Format results
| summarize BcdEdit = iff(make_set(Bcdedit) contains "1" , 1, 0), NetStop10PlusCommands = iff(make_set(NetStopUse) contains "1", 1, 0), Wevtutil10PlusLogsCleared = iff(make_set(WevtutilUse) contains "1", 1, 0),
CipherMultipleDrives = iff(make_set(CipherUse) contains "1", 1, 0), Fsutil = iff(make_set(Fsutil) contains "1", 1, 0), ShadowCopyDelete = iff(make_set(ShadowCopyDelete) contains "1", 1, 0),
Wbadmin = iff(make_set(Wbadmin) contains "1", 1, 0), TaskKill10PlusCommand = iff(make_set(TaskkillUse) contains "1", 1, 0), VssAdminShadow = iff(make_set(VssAdminShadows) contains "1", 1, 0), 
ScDisable = iff(make_set(ScDisableUse) contains "1", 1, 0), TotalEvidenceCount = count(CommandList), EvidenceList = make_set(Commands), StartofBehavior = min(FirstActivity) by DeviceId, bin(Timestamp, 1d)
| extend UniqueEvidenceCount = BcdEdit + NetStop10PlusCommands + Wevtutil10PlusLogsCleared + CipherMultipleDrives + Wbadmin + Fsutil + TaskKill10PlusCommand + VssAdminShadow + ScDisable + ShadowCopyDelete
| where UniqueEvidenceCount > 2

瞭解並調整查詢結果

合併查詢會傳回下列結果:

  • DeviceId— 識別受影響的裝置

  • TimeStamp— 第一次在裝置上觀察到勒索軟體活動的任何徵兆

  • 特定的活動徵兆— 多個數據行中顯示的每個符號計數,例如 BcdEditFsUtil

  • TotalEvidenceCount— 觀察到的符號數目

  • UniqueEvidenceCount— 觀察到的符號類型數目

    Microsoft Defender 入口網站中勒索軟體活動的合併查詢範例

顯示受影響裝置和各種勒索軟體活動徵兆計數的查詢結果

根據預設,查詢結果只會列出具有兩種以上勒索軟體活動的裝置。 若要查看具有勒索軟體活動任何標誌的所有裝置,請修改下列 where 運算符,並將數字設定為零 (0) 。 若要查看較少的裝置,請設定較高的數位。

| where UniqueEvidenceCount > 2

更多勒索軟體資源

Microsoft 的重要資訊:

Microsoft 365:

Microsoft Azure:

Microsoft 雲端 App 安全性:

Microsoft 安全性小組部落格文章:

提示

想要深入了解? Engage 技術社群中的 Microsoft 安全性社群:Microsoft Defender 全面偵測回應 技術社群。