WastedLocker Downloader | SOC Hunt Feed

Hunt Hypothesis

The WastedLocker Downloader detection identifies adversaries using a custom downloader to initiate ransomware execution, leveraging unusual process injection techniques to evade standard defenses. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage ransomware attacks before encryption impacts critical assets.

KQL Query

DeviceProcessEvents
| where InitiatingProcessFileName =~ 'wscript.exe' and FileName =~ 'powershell.exe' and InitiatingProcessCommandLine matches regex @"(?i)\\chrome\.update\..+?\.js"

Analytic Rule Definition

id: 4a8dec0a-2cfc-40a6-af59-e6657c26d0c1
name: WastedLocker Downloader
description: |
  This query identifies the launch pattern associated with wastedlocker ransomware.
  Reference writeup: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
query: |
  DeviceProcessEvents
  | where InitiatingProcessFileName =~ 'wscript.exe' and FileName =~ 'powershell.exe' and InitiatingProcessCommandLine matches regex @"(?i)\\chrome\.update\..+?\.js"

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/WastedLocker Downloader.yaml)

False Positive Guidance

Scenario: Legitimate Scheduled Job Execution
Description: A scheduled task using schtasks.exe is configured to run a benign script or executable that matches the hash or behavior of the WastedLocker downloader.
Filter/Exclusion: Check the command line arguments and file hash against known legitimate scheduled job scripts (e.g., C:\Windows\System32\schtasks.exe with arguments like /create or /run).
Scenario: System Update or Patching Tool Execution
Description: A system update tool like wusa.exe (Windows Update Standalone Setup) is executed, which may have similar execution patterns to the WastedLocker downloader.
Filter/Exclusion: Filter by process name and check for known update-related command-line arguments (e.g., /quiet or /background).
Scenario: Admin Task Using PowerShell for Configuration Management
Description: An administrator uses powershell.exe to run a script that configures system settings, which may trigger the rule due to similar execution patterns.
Filter/Exclusion: Check for presence of powershell.exe with known admin scripts or use a filter on the script path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Legitimate Third-Party Software Installation
Description: A legitimate third-party software installer (e.g., setup.exe from a trusted vendor) is executed, which may have similar behavior to the WastedLocker downloader.
Filter/Exclusion: Use file hash or digital signature checks to exclude known trusted installers. Filter by process name and file location (e.g., C:\Program Files\Vendor\setup.exe).
Scenario: User-Initiated File Execution via Explorer
Description: A user double-clicks a legitimate