This query was originally published in the threat analytics report, Cypherpunk ransomware leaves wake of tampered AVs.
Cypherpunk is a human-operated ransomware campaign named after the unusual .cypherpunk extension given to encrypted files. The attackers often used PSEXESVC, a service that helps the PsExe.exe utility run commands on a remote device. Both PSEXESVC and PsExe.exe are legitimate parts of Windows; however, they can be repurposed by attackers to perform malicious actions.
The query below can find instances of PSEXESVC being used to launch batch files, as often occurred in Cypherpunk attacks.
// Searches for remote batch file launch using PSEXESVC.exe
DeviceProcessEvents
| where InitiatingProcessParentFileName startswith "psexe"
| where InitiatingProcessCommandLine has ".bat"
| where ProcessCommandLine has "DisableIOAVProtection"This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|---|---|---|
| Initial access | ||
| Execution | v | |
| Persistence | ||
| Privilege escalation | ||
| Defense evasion | ||
| Credential Access | ||
| Discovery | ||
| Lateral movement | ||
| Collection | ||
| Command and control | ||
| Exfiltration | ||
| Impact | ||
| Vulnerability | ||
| Exploit | ||
| Misconfiguration | ||
| Malware, component | ||
| Ransomware | v |
Contributor: Microsoft Threat Protection team