doppelpaymer | SOC Hunt Feed

Hunt Hypothesis

Adversaries may be using manual, human-operated ransomware tactics to encrypt and exfiltrate data, indicating potential targeted attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ransomware activity before significant data loss occurs.

KQL Query

// Finds Net commands used to locate high-value accounts
DeviceProcessEvents
| where Timestamp > ago(7d)
| where  FileName == "net.exe"
// Create a set for the command lines
| summarize makeset(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
// Other process launches by Net in that same timeframe
| where (set_ProcessCommandLine has "admin"
and set_ProcessCommandLine has_any("domain", "enterprise", "backup operators"))
and set_ProcessCommandLine has "group" and set_ProcessCommandLine contains "/do"

Analytic Rule Definition

id: 34ade758-9e1e-4e65-9adc-1b8d6f081ebf
name: doppelpaymer
description: |
  This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.
  DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they may use net.exe to run reconnaissance and find service accounts to target. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization.
  The following query detects the net.exe reconnaissance method described above.
  The See also section below lists links to other queries associated with DoppelPaymer.
  References:
  https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/
  https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Discovery
- Lateral movement
query: |
  // Finds Net commands used to locate high-value accounts
  DeviceProcessEvents
  | where Timestamp > ago(7d)
  | where  FileName == "net.exe"
  // Create a set for the command lines
  | summarize makeset(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
  // Other process launches by Net in that same timeframe
  | where (set_ProcessCommandLine has "admin"
  and set_ProcessCommandLine has_any("domain", "enterprise", "backup operators"))
  and set_ProcessCommandLine has "group" and set_ProcessCommandLine contains "/do"

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Discovery
Tactic: Lateral movement

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Discovery/doppelpaymer.yaml)

False Positive Guidance

Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job using Veeam Backup & Replication or Commvault may trigger the rule due to similar process creation patterns.
Filter/Exclusion: Check for process.name containing “Veeam” or “Commvault” and exclude processes related to backup operations.
Scenario: Admin Task – PowerShell Script Execution
Description: An administrator running a PowerShell script (e.g., Invoke-Command, Start-Job) for system maintenance or configuration management may trigger the rule.
Filter/Exclusion: Filter by process.name containing “powershell.exe” and check for known admin scripts or use process.args containing “Invoke-Command” or “Start-Job”.
Scenario: Remote Desktop Services (RDS) Session
Description: A user logging in via Remote Desktop Services (RDS) may trigger the rule due to process creation in the context of a remote session.
Filter/Exclusion: Check for process.parent_process.name containing “tsclient.exe” or “mstsc.exe” to identify RDS-related activity.
Scenario: Antivirus or EDR Tool Behavior
Description: A legitimate endpoint detection and response (EDR) tool like CrowdStrike Falcon or Microsoft Defender ATP may exhibit similar behavior to the ransomware during threat hunting or incident response.
Filter/Exclusion: Filter by process.name containing “falcon” or “MsDefender” and check for known EDR tool processes.
Scenario: Manual Software Deployment via SCCM
Description: A System Center Configuration Manager (SCCM) deployment task may trigger the rule due to process creation during software installation.
Filter/Exclusion: Filter by process.name