cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Hunting Queries/DnsEvents/DNS_WannaCry.txt
26lines · modecode
7 years ago
| 1 | // Name: DNS Domains linked to WannaCry ransomware campaign |
| 2 | // |
| 3 | // Id: aaf84b80-7764-420c-98eb-239b5e194b3d |
| 4 | // |
| 5 | // Description: Displays client DNS request for any of the known domains linked to #WannaCry. |
| 6 | // These results may indicate #Wannacry / #Wannacrypt ransomware infection. |
| 7 | // Domain listing from https://pastebin.com/cRUii32E |
| 8 | // |
| 9 | // DataSource: #DnsEvents |
| 10 | // |
| 11 | // Tactics: #InitialAccess, #Execution |
| 12 | // |
| 13 | DnsEvents |
| 14 | | where Name in ( |
| 15 | "agrdwrtj.us", "bctxawdt.us", "cokfqwjmferc.us", |
| 16 | "cxbenjiikmhjcerbj.us", "depuisgef.us", "edoknehyvbl.us", |
| 17 | "enyeikruptiukjorq.com", "frullndjtkojlu.us", "gcidpiuvamynj.us", |
| 18 | "gxrytjoclpvv.us", "hanoluexjqcf.us", "iarirjjrnuornts.us", |
| 19 | "ifbjoosjqhaeqjjwaerri.us", "iouenviwrc.us", "kuuelejkfwk.us", |
| 20 | "lkbsxkitgxttgaobxu.us", "nnnlafqfnrbynwor.us", "ns768.com", |
| 21 | "ofdwcjnko.us", "peuwdchnvn.us", "pvbeqjbqrslnkmashlsxb.us", |
| 22 | "pxyhybnyv.us", "qkkftmpy.us", "rkhlkmpfpoqxmlqmkf.us", |
| 23 | "ryitsfeogisr.us", "srwcjdfrtnhnjekjerl.us", "thstlufnunxaksr.us", |
| 24 | "udrgtaxgdyv.us", "w5q7spejg96n.com", "xmqlcikldft.us", |
| 25 | "yobvyjmjbsgdfqnh.us", "yrwgugricfklb.us", "ywpvqhlqnssecpdemq.us" ) |
| 26 | | summarize count() by Computer, ClientIP, WannaCrypt_Related_Domain = Name |