Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.
Shadow Copies deletion using operating systems utilities via PowerShell
Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
Detects the image load of VSS DLL by uncommon executables
Detects WannaCry ransomware activity
Detects a command that accesses password storing registry hives via volume shadow backups
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
Detects the modification of the registry to disable a system restore on the computer
Detects potential Dtrack RAT activity via specific process patterns
Detects specific process characteristics of Maze ransomware word document droppers
Detects loading of Amsi.dll by uncommon processes
Detects the image load of vss_ps.dll by uncommon executables
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
Deletes the Windows systemstatebackup using wbadmin.exe.
This technique is used by numerous ransomware families.
This may only be successful on server platforms that have Windows Backup enabled.
Modifications to a config that will serve an adversary's impacts or persistence
Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Detects registry modifications occuring in tandem with disruption of boot processes with bcdedit (or as a method to evade detection)
Detects the use of bcdedit to disrupt normal boot processes.
Detects adversaries using WMI to delete shadow copies. Inspired by the 2022 Red Canary Threat Detection report.