WMIC Shadow Copy Deletion
Detects adversaries using WMI to delete shadow copies. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: WMIC Shadow Copy Deletion
2id: 68483dc1-6bce-44ba-821b-59f3a0ba3bd8
3status: experimental
4description: Detects adversaries using WMI to delete shadow copies. Inspired by the
5 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.impact
12 - attack.t1490
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\wmic.exe'
19 CommandLine|contains|all:
20 - 'shadowcopy'
21 - 'delete'
22 condition: selection
23falsepositives:
24 - Unknown
25level: medium```
References
-
Windows Management Instrumentation (WMI) is a prevalent technique leveraged for lateral movement and discovery by adversaries.
Read More
Related rules
- Secure Deletion with SDelete
- Overwriting the File with Dev Zero or Null
- Okta API Token Revoked
- Okta Application Modified or Deleted
- Okta Application Sign-On Policy Modified or Deleted