Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Read More

Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.

Read More

Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.

Read More

Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.

Read More

Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.

Read More

Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

Read More

Detects the image load of VSS DLL by uncommon executables

Read More

Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.

Read More

Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.

Read More

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

Read More

Modifications to a config that will serve an adversary's impacts or persistence

Read More

Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)

Read More

Shadow Copies deletion using operating systems utilities via PowerShell

Read More

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Read More

Detects the addition of new root, CA or AuthRoot certificates to the Windows registry

Read More

Detects potential Dtrack RAT activity via specific process patterns

Read More

Detects specific process characteristics of Maze ransomware word document droppers

Read More

Detects the modification of the registry to disable a system restore on the computer

Read More

Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)

Read More

Detects the image load of vss_ps.dll by uncommon executables

Read More

Detects the image load of VSS DLL by uncommon executables

Read More

Detects WannaCry ransomware activity

Read More

Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.

Read More

It’s not uncommon for ransomware operators to leverage WMI to delete volume shadows, significantly complicating the process for recovering access to encrypted systems and files. If you want to detect ransomware using WMI to delete shadow copies, consider looking for wmic.exe execution with command lines including shadowcopy or delete. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects registry modifications occuring in tandem with disruption of boot processes with bcdedit (or as a method to evade detection)

Read More

Detects the use of bcdedit to disrupt normal boot processes.

Read More

Detects adversaries using WMI to delete shadow copies. Inspired by the 2022 Red Canary Threat Detection report.

Read More