The hypothesis is that the detection identifies potential credential dumping activity associated with the Wadhrama ransomware, which adversaries may use to maintain persistence and escalate privileges within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage Wadhrama ransomware infections before significant damage occurs.
KQL Query
// Find use of Image File Execution Options (IFEO) in conjunction
// with a .bat file to dump credentials
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has "sethc" or RegistryKey has "utilman"
id: 8348d279-c95f-4dbe-b952-65048dc06559
name: wadhrama-credential-dump
description: |
This query was originally published in the threat analytics report, RDP ransomware persists as Wadhrama.
The ransomware known as Wadhrama has been used in human-operated attacks that follow a particular pattern. The attackers often use Remote Desktop Protocol (RDP) to gain initial access to a device or network, exfiltrate credentials, and maintain persistance.
The following query checks for possible Wadhrama-related activity, by detecting the technique these attackers have used in the past to dump credentials.
Other techniques used by the group associated with Wadhrama are listed under See also.
Reference - https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Wadhrama
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceRegistryEvents
tactics:
- Credential Access
- Impact
query: |
// Find use of Image File Execution Options (IFEO) in conjunction
// with a .bat file to dump credentials
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has "sethc" or RegistryKey has "utilman"
| Sentinel Table | Notes |
|---|---|
DeviceRegistryEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that temporarily writes to memory or disk, mimicking credential dumping.
Filter/Exclusion: Exclude processes associated with schtasks.exe or tasks with names like SystemMaintenance or DiskCleanup.
Scenario: PowerShell Credential Export for Backup Purposes
Description: An admin uses PowerShell to export credentials for backup, which may trigger the rule due to credential handling.
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes -Command or -File and contains Export-Clixml, Export-Csv, or ConvertTo-SecureString.
Scenario: Admin Performing Credential Reset via Remote Desktop
Description: An admin resets a user’s password via RDP and uses tools like net user or PsExec to update credentials, which may be flagged.
Filter/Exclusion: Exclude processes initiated from mstsc.exe or tasks with PsExec where the command includes net user or net password.
Scenario: Windows Credential Manager Export
Description: A user exports their Windows Credential Manager credentials using cmdkey or third-party tools like Credential Manager Exporter, which may trigger the rule.
Filter/Exclusion: Exclude processes with cmdkey.exe or tools known to export credentials, such as credexport.exe or Credential Manager Exporter.
Scenario: Automated Patching Tool Credential Handling
Description: A patching tool like Microsoft’s Windows Update or third-party tools like Patch Manager temporarily stores credentials during updates, which may be flagged.
Filter/Exclusion: Exclude processes associated with wuauclt.exe, msiexec.exe, or known patching tools where the task