attack.t1490

Deletion of Volume Shadow Copies via WMI with PowerShell

Nov 2, 2023 · attack.impact attack.t1490 ·

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

AWS S3 Bucket Versioning Disable

Oct 28, 2023 · attack.impact attack.t1490 ·

Share on:

Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.

Delete Volume Shadow Copies Via WMI With PowerShell

Oct 28, 2023 · attack.impact attack.t1490 ·

Share on:

Shadow Copies deletion using operating systems utilities via PowerShell

Boot Configuration Tampering Via Bcdedit.EXE

Oct 18, 2023 · attack.impact attack.t1490 ·

Share on:

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

Suspicious Volume Shadow Copy Vssapi.dll Load

Oct 18, 2023 · attack.defense_evasion attack.impact attack.t1490 ·

Share on:

Detects the image load of VSS DLL by uncommon executables

Suspicious Volume Shadow Copy Vsstrace.dll Load

Oct 18, 2023 · attack.defense_evasion attack.impact attack.t1490 ·

Share on:

Detects the image load of VSS DLL by uncommon executables

WannaCry Ransomware Activity

Oct 18, 2023 · attack.lateral_movement attack.t1210 attack.discovery attack.t1083 attack.defense_evasion attack.t1222.001 attack.impact attack.t1486 attack.t1490 detection.emerging_threats ·

Share on:

Detects WannaCry ransomware activity

Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script

Oct 17, 2023 · attack.impact attack.t1490 ·

Share on:

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Sensitive Registry Access via Volume Shadow Copy

Oct 17, 2023 · attack.impact attack.t1490 ·

Share on:

Detects a command that accesses password storing registry hives via volume shadow backups

New Root or CA or AuthRoot Certificate to Store

Aug 17, 2023 · attack.impact attack.t1490 ·

Share on:

Detects the addition of new root, CA or AuthRoot certificates to the Windows registry

Registry Disable System Restore

Aug 17, 2023 · attack.impact attack.t1490 ·

Share on:

Detects the modification of the registry to disable a system restore on the computer

Potential Dtrack RAT Activity

Jun 20, 2023 · attack.impact attack.t1490 detection.emerging_threats ·

Share on:

Detects potential Dtrack RAT activity via specific process patterns

Potential Maze Ransomware Activity

Jun 20, 2023 · attack.execution attack.t1204.002 attack.t1047 attack.impact attack.t1490 detection.emerging_threats ·

Share on:

Detects specific process characteristics of Maze ransomware word document droppers

Amsi.DLL Load By Uncommon Process

Jun 1, 2023 · attack.defense_evasion attack.impact attack.t1490 ·

Share on:

Detects loading of Amsi.dll by uncommon processes

Suspicious Volume Shadow Copy VSS_PS.dll Load

May 23, 2023 · attack.defense_evasion attack.impact attack.t1490 ·

Share on:

Detects the image load of vss_ps.dll by uncommon executables

Copy From VolumeShadowCopy Via Cmd.EXE

Mar 7, 2023 · attack.impact attack.t1490 ·

Share on:

Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)

Backup Files Deleted

Feb 17, 2023 · attack.impact attack.t1490 ·

Share on:

Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

SystemStateBackup Deleted Using Wbadmin.EXE

Feb 5, 2023 · attack.impact attack.t1490 ·

Share on:

Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.

Cisco Modify Configuration

Jan 4, 2023 · attack.persistence attack.impact attack.t1490 attack.t1505 attack.t1565.002 attack.t1053 ·

Share on:

Modifications to a config that will serve an adversary's impacts or persistence

Delete Volume Shadow Copies via WMI with PowerShell - PS Script

Jan 4, 2023 · attack.impact attack.t1490 ·

Share on:

Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Boot Configuration Database (BCD) Manipulation - Registry Modification

Nov 22, 2022 · attack.impact attack.t1490 attack.g0092 ·

Share on:

Detects registry modifications occuring in tandem with disruption of boot processes with bcdedit (or as a method to evade detection)

Use of bcdedit to Disrupt Boot Processes

Nov 22, 2022 · attack.impact attack.t1490 attack.g0092 ·

Share on:

Detects the use of bcdedit to disrupt normal boot processes.

WMIC Shadow Copy Deletion

Nov 9, 2022 · attack.impact attack.t1490 ·

Share on:

Detects adversaries using WMI to delete shadow copies. Inspired by the 2022 Red Canary Threat Detection report.