CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/powershell_delete_volume_shadow_copies.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

38 lines
1.3 KiB
YAML
Raw Blame History

title: Delete Volume Shadow Copies Via WMI With PowerShell
author: frack113
date: 2021/06/03
description: Shadow Copies deletion using operating systems utilities via PowerShell
detection:
SELECTION_1:
HostApplication: '*Get-WmiObject*'
SELECTION_2:
HostApplication: '* Win32_Shadowcopy*'
SELECTION_3:
HostApplication: '*Delete()*'
SELECTION_4:
HostApplication: '*Remove-WmiObject*'
condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities
for legitimate reason
fields:
- HostApplication
id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
level: critical
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml
- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
status: experimental
tags:
- attack.impact
- attack.t1490
yml_filename: powershell_delete_volume_shadow_copies.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
Reference in New Issue View Git Blame Copy Permalink