Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Microsoft Defender XDR |
| ID | 1be34fb9-f81b-47ae-84fb-465e6686d76c |
| Severity | High |
| Status | Available |
| Kind | Scheduled |
| Tactics | CredentialAccess |
| Techniques | T1003 |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
DeviceProcessEvents |
ProcessCommandLine contains "-ma"ProcessCommandLine has "-accepteula"ProcessCommandLine has "lsass" |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊