Query Details

Known Shadow Copy Delete command executed

Shadow Copy Deletion

Query

let CommonRansomwareExecutionCommands = dynamic([@'vssadmin.exe delete shadows /all /quiet', 
@'wmic.exe shadowcopy delete', @'wbadmin delete catalog -quiet', 
@'Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}',
@'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk', 
@'wbadmin delete systemstatebackup -keepVersions:0', 
@'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable', 
@'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1', 
@'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f', 
@'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f', 
@'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f', 
@'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f', 
@'reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f >nul 2>&1', 
@'reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f >nul 2>&1', 
@'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f >nul 2>&1', 
@'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1']);
DeviceProcessEvents
| where ProcessCommandLine has_any (CommonRansomwareExecutionCommands)
| project-reorder TimeGenerated, ProcessCommandLine, DeviceName, AccountName

About this query

Explanation

This query is designed to detect when certain known commands, often used by ransomware, are executed to delete shadow copies on a Windows system. Shadow copies are essentially backups or snapshots of the system, and deleting them can prevent recovery from ransomware attacks.

Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify when specific commands associated with deleting shadow copies are executed. This is a common tactic used by ransomware to inhibit system recovery, making it difficult to restore the system to a previous state after an attack.

  2. Commands Monitored: The query looks for a list of known commands that can delete shadow copies or disable system restore functionalities. These include commands like vssadmin.exe delete shadows, wmic.exe shadowcopy delete, and several others that manipulate system restore settings or delete backup files.

  3. Data Source: The query checks the DeviceProcessEvents table, which logs process execution events on devices.

  4. Output: When any of these commands are detected in the ProcessCommandLine, the query outputs relevant details such as the timestamp of the event, the command executed, the device name, and the account name associated with the execution.

  5. Tools: The query is structured for use in two different security monitoring tools: Defender XDR and Sentinel. The structure is similar for both, with minor differences in the output column names (Timestamp vs. TimeGenerated).

Overall, this query helps security teams quickly identify potential ransomware activity by flagging attempts to delete system backups, which is a critical step in many ransomware attacks.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessCommandLineTimestampNameAccountTimeGenerated

Operators

letdynamichas_anyproject-reorder

MITRE Techniques

Actions

GitHub