Known Shadow Copy Delete command executed
Shadow Copy Deletion
Query
let CommonRansomwareExecutionCommands = dynamic([@'vssadmin.exe delete shadows /all /quiet',
@'wmic.exe shadowcopy delete', @'wbadmin delete catalog -quiet',
@'Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}',
@'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk',
@'wbadmin delete systemstatebackup -keepVersions:0',
@'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable',
@'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1',
@'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f',
@'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f',
@'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f',
@'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f',
@'reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f >nul 2>&1',
@'reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f >nul 2>&1',
@'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f >nul 2>&1',
@'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1']);
DeviceProcessEvents
| where ProcessCommandLine has_any (CommonRansomwareExecutionCommands)
| project-reorder TimeGenerated, ProcessCommandLine, DeviceName, AccountNameAbout this query
Explanation
This query is designed to detect when certain known commands, often used by ransomware, are executed to delete shadow copies on a Windows system. Shadow copies are essentially backups or snapshots of the system, and deleting them can prevent recovery from ransomware attacks.
Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify when specific commands associated with deleting shadow copies are executed. This is a common tactic used by ransomware to inhibit system recovery, making it difficult to restore the system to a previous state after an attack.
-
Commands Monitored: The query looks for a list of known commands that can delete shadow copies or disable system restore functionalities. These include commands like
vssadmin.exe delete shadows,wmic.exe shadowcopy delete, and several others that manipulate system restore settings or delete backup files. -
Data Source: The query checks the
DeviceProcessEventstable, which logs process execution events on devices. -
Output: When any of these commands are detected in the
ProcessCommandLine, the query outputs relevant details such as the timestamp of the event, the command executed, the device name, and the account name associated with the execution. -
Tools: The query is structured for use in two different security monitoring tools: Defender XDR and Sentinel. The structure is similar for both, with minor differences in the output column names (
Timestampvs.TimeGenerated).
Overall, this query helps security teams quickly identify potential ransomware activity by flagging attempts to delete system backups, which is a critical step in many ransomware attacks.
