What Changed
Added a new hunting query targeting LockBit ransomware and associated tools deployed via Apache ActiveMQ exploitation (CVE-2023-46604). The query identifies file creation/modification events matching specific SHA256 hashes.
Detection Logic
Primary data source: DeviceFileEvents table. The query filters early using isnotempty(SHA256) before hash lookup for performance optimization. Core logic matches against six hardcoded SHA256 hashes representing:
- LockBit ransomware payloads (lb3_pass.exe, lb3.exe)
- Reconnaissance tools (Advanced IP Scanner, netscan.exe)
- RDP configuration scripts (rdp.bat)
Entity mappings include Host, Account, FileHash, File, and Process for comprehensive incident response.
MITRE Mapping
- T1486: Data Encrypted for Impact
- T1204: User Execution
Security Impact
This query targets statically compiled artifacts and unmodified legitimate tools frequently reused across LockBit intrusions. While hash-based detection is brittle to recompilation, these specific indicators represent builder artifacts that threat actors deploy without modification, providing reliable detection coverage for this attack chain.
Affected Files
Hunting Queries/Microsoft 365 Defender/Campaigns/Lockbit Ransomware/LockBitRansomwareHashIoCs.yaml