WMI Shadow Copy Deletion

calendar Mar 26, 2024 · attack.execution attack.t1047 attack.impact attack.t1490  ·
Share on: linkedin copy

It’s not uncommon for ransomware operators to leverage WMI to delete volume shadows, significantly complicating the process for recovering access to encrypted systems and files. If you want to detect ransomware using WMI to delete shadow copies, consider looking for wmic.exe execution with command lines including shadowcopy or delete. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: WMI Shadow Copy Deletion
 2id: 1c078d3c-749c-40ce-9400-c2dbad604764
 3status: experimental
 4description: |
 5    It’s not uncommon for ransomware operators to leverage WMI to delete volume shadows, 
 6    significantly complicating the process for recovering access to encrypted systems and files. 
 7    If you want to detect ransomware using WMI to delete shadow copies, consider looking for 
 8    wmic.exe execution with command lines including shadowcopy or delete. Part of the RedCanary 
 9    2024 Threat Detection Report.    
10references:
11    - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
12author: RedCanary, Sigma formatting by Micah Babinski
13date: 2024/03/21
14tags:
15    - attack.execution
16    - attack.t1047
17    - attack.impact
18    - attack.t1490
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        Image|endswith: '\wmic.exe'
25        CommandLine|contains:
26            - 'shadowcopy'
27            - 'delete'
28    condition: selection
29falsepositives:
30    - Unknown
31level: low```

References

Related rules

to-top