# Hunting Mespinoza/Pysa #### PowerShell Mespinoza/Pysa Hunt First, find out where the encrypted files are and what the extension is for those files. This can help find out what exact type of attack was used on the Windows system. Below is the query that can be run on the system to check if there were any ".pysa" extensions. ``` SELECT * FROM file WHERE path LIKE "C:\Users\%%" AND filename LIKE "%.pysa" ``` ![Successful .pysa Extension Query](/files/uwEfamRdt98NmMSQCrCA) Another telling sign that this is a version of Mespinoza/Pysa would be if the antivirus system was turned off during the attack. Run the following query to see if Windows Defender was turned off during the attack. ``` SELECT channel, data, datetime FROM windows_eventlog WHERE channel="Application" AND eventid="15" AND data LIKE "%%SNOOZED%%" ``` ![Windows Defender Turned Off During Attack](/files/nnQoNRbOjDvKsDvZkTsy) With this information, it can be confirmed that the attack took place on March 28, 2022. Check other Windows Logs that took place using this query. ``` SELECT * FROM windows_eventlog WHERE channel="Security" AND datetime LIKE "2022-03-28%%"; SELECT * FROM windows_eventlog WHERE channel="Application" AND datetime LIKE "2022-03-28%%"; SELECT * FROM windows_eventlog WHERE channel="System" AND datetime LIKE "2022-03-28%%" ``` ![Windows Logged Pulled For the Day of the Attack](/files/cYpChHemzJCtBG3bIMvE) This query will pull all the Windows system's logs from March 28, 2022. From there, start to look for other suspicious logs that happened during that time frame. If no logs are looking suspicious, use this [Sophos source](https://support.sophos.com/support/s/article/KB-000038860?language=en_US) to take a peek at different suspicious Event IDs to look for. For example, run this below query to see if the Event Log service was ever stopped during that day. ``` SELECT * FROM windows_eventlog WHERE channel="Security" AND eventid="1100" AND datetime LIKE "2022-03028%%" ``` ![Event Log Service Shutdown on the Day of the Attack](/files/LzZxfGDza5SInu7kn8p0) Next, check the system registry keys to see if the banner for the ransomware was put in there. Use the following query to pull the system registry keys to check for "legalnoticecaption" and "legalnoticetext". ``` SELECT data, path FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' AND path LIKE "%%legal%%" ``` !["legalnoticecaption" and "legalnoticetext" Both Pulled from the Infected System](/files/EQ0hWhpcP6reedIWRchE) This helps further confirm that it is a version of Pysa that was run on the Windows 10 system. Note that the message includes Proton emails in the message as well, which is something commonly found in Mespinoza/Pysa attacks. The message also contains broken English, which is also a common trait of that attack. Now, try to find out what version of Mespinoza/Pysa was run on the system. Remember, there are three different versions of this ransomware (**Python Archive, Windows Executable,** and **PowerShell** versions). Run the following query to check and see if there was any step1.ps1 or step2.ps1 scripts leftover in the Windows Users directory. ``` SELECT filename, path, mtime FROM file WHERE path LIKE "C:\Users\%%" AND filename LIKE "step%.ps1" ``` !["step2.ps1" Found in Public Users Folder](/files/1ufQUOVIpQWktHXmlROR) This confirms that the version of Mespinoza/Pysa that was run on the Windows system was the **PowerShell** variant of the attack. All of the clues picked up from the above queries confirm this. However, what would it look like if the box was hit with the executable version of Mespinoza/Pysa? Run a couple more queries to show what it would look like if it was the executable version. #### Executable Mespinoza/Pysa Hunt In other instances of Mespinoza/Pysa, suspicious executables may be found that are disguised as legitimate executables. For example, it is common to find a false "svchost.exe" file in the "C:\Windows\Temp" directory. Run a query like below to check and see if there is any false "svchost.exe" in the "C:\Windows\Temp" directory. ``` SELECT filename, path, size, uid FROM file WHERE path LIKE "C:\Windows\Temp\%%" AND filename="svchost.exe" ``` ![Suspicious "svchost.exe" Found in "C:\Windows\Temp" Directory](/files/9OHMHmjsE0NkBv6GE9VA) In some instances, the executable will be deleted by a batch script after it is executed. Try searching for "update.bat" in the temp directory with the following query. ``` SELECT filename, path, size, uid FROM file WHERE path LIKE "C:\Windows\Temp\%%" AND filename="update.bat" ``` !["update.bat" Found in the Temp Directory](/files/bC63kBZMDJoBvn5x9RP7) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rich-nadeau.gitbook.io/osquery-training/lesson-1/hunting-mespinoza-pysa.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.