Potential Ransomware activity related to Cobalt Strike

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This query searches for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns. It looks for alerts that indicate potential ransomware activity, such as attempts to clear security event logs, delete backup files, and execute Cobalt Strike malware.

Attribute	Value
Type	Analytic Rule
Solution	Microsoft Defender XDR
ID	4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d
Severity	High
Status	Available
Kind	Scheduled
Tactics	Execution, Persistence, DefenseEvasion, Impact
Techniques	T1059, T1078, T1070, T1490
Required Connectors	MicrosoftThreatProtection
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
AlertInfo	✓	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Microsoft Defender XDR