Detects the image load of vss_ps.dll by uncommon executables

Detects the image load of VSS DLL by uncommon executables

Detects loading of Amsi.dll by uncommon processes

Detects the image load of VSS DLL by uncommon executables

Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.

Detects a command that accesses password storing registry hives via volume shadow backups

Modifications to a config that will serve an adversary's impacts or persistence

Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Shadow Copies deletion using operating systems utilities via PowerShell

Detects the addition of new root, CA or AuthRoot certificates to the Windows registry

Detects the modification of the registry to disable a system restore on the computer