Detects the image load of vss_ps.dll by uncommon executables
Detects the image load of VSS DLL by uncommon executables
Detects loading of Amsi.dll by uncommon processes
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
Deletes the Windows systemstatebackup using wbadmin.exe.
This technique is used by numerous ransomware families.
This may only be successful on server platforms that have Windows Backup enabled.
Detects a command that accesses password storing registry hives via volume shadow backups
Modifications to a config that will serve an adversary's impacts or persistence
Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Shadow Copies deletion using operating systems utilities via PowerShell
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
Detects the modification of the registry to disable a system restore on the computer