The hypothesis detects an adversary attempting to evade detection by using a custom script to bypass standard monitoring mechanisms in the environment. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threat (APT) activities that could otherwise go undetected.
KQL Query
// RobbinHood execution and security evasion
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "winlogon.exe"
| where FileName == "cmd.exe" and ProcessCommandLine has_any("taskkill", "net",
"robbin", "vssadmin", "bcdedit", "wevtutil")
id: 75f492b5-b4ab-446e-8a9f-0607fbee2baa
name: robbinhood-evasion
description: |
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog.
Robbinhood is ransomware that has been involved in several high-profile incidents, including a 2019 attack on the city of Baltimore, Maryland. Robbinhood operators often employ a distinctive defense evasion technique, where they load a vulnerable driver on to a target and exploit it, in order to turn off security software -- essentially using the driver as malware.
The following query detects a late stage of this technique, when the operator is issuing commands to turn off the driver.
For a query that detects an earlier stage of this technique, see Detect loading of vulnerable drivers by Robbinhood ransomware campaign.
References:
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Robinhood.A&ThreatID=2147735370
https://www.nytimes.com/2019/05/22/us/baltimore-ransomware.html
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Defense evasion
query: |
// RobbinHood execution and security evasion
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "winlogon.exe"
| where FileName == "cmd.exe" and ProcessCommandLine has_any("taskkill", "net",
"robbin", "vssadmin", "bcdedit", "wevtutil")
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is performing a scheduled backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes associated with veeambackup.exe or check for the presence of a known backup job name in the process command line.
Scenario: A developer is using Docker to run a containerized application with elevated privileges
Filter/Exclusion: Exclude processes running under the Docker daemon (dockerd.exe) or check for the presence of a known container image or command-line argument.
Scenario: A database administrator is executing a SQL Server Agent Job that performs routine maintenance
Filter/Exclusion: Exclude processes associated with sqlservr.exe and check for the presence of a known job name or SQL Server Agent task.
Scenario: A DevOps engineer is using Ansible to automate configuration management tasks
Filter/Exclusion: Exclude processes associated with ansible.exe or check for the presence of a known playbook or task name in the command line.
Scenario: A system update is being applied via Windows Update or Group Policy
Filter/Exclusion: Exclude processes associated with wuauclt.exe or check for the presence of a known update or policy name in the process command line.