CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
a00a114101ab33eda2e75c9cf2ddab57cccea821
hayabusa/rules/sigma/process_creation/win_shadow_copies_deletion.yml
DustInDark 0cfa806baf Feature/addruletype to sigma rule#230 (#235) 
* added ruletype to SIGMA rule #230

* added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00

68 lines
2.2 KiB
YAML
Raw Blame History

title: Shadow Copies Deletion Using Operating Systems Utilities
author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community,
Andreas Hunkeler (@Karneades)
date: 2019/10/22
description: Shadow Copies deletion using operating systems utilities
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*resize*'
SELECTION_11:
CommandLine: '*shadowstorage*'
SELECTION_12:
CommandLine: '*unbounded*'
SELECTION_2:
Image:
- '*\powershell.exe'
- '*\wmic.exe'
- '*\vssadmin.exe'
- '*\diskshadow.exe'
SELECTION_3:
CommandLine: '*shadow*'
SELECTION_4:
CommandLine: '*delete*'
SELECTION_5:
Image:
- '*\wbadmin.exe'
SELECTION_6:
CommandLine: '*delete*'
SELECTION_7:
CommandLine: '*catalog*'
SELECTION_8:
CommandLine: '*quiet*'
SELECTION_9:
Image: '*\vssadmin.exe'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
and SELECTION_6 and SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10
and SELECTION_11 and SELECTION_12)))
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities
for legitimate reason
fields:
- CommandLine
- ParentCommandLine
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/10/24
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://blog.talosintelligence.com/2017/05/wannacry.html
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
- https://github.com/Neo23x0/Raccine#the-process
- https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar
- https://redcanary.com/blog/intelligence-insights-october-2021/
status: stable
tags:
- attack.defense_evasion
- attack.impact
- attack.t1070
- attack.t1490
ruletype: SIGMA
Reference in New Issue View Git Blame Copy Permalink