LoFP LoFP / legitimate administrator deletes shadow copies using operating systems utilities for legitimate reason

Techniques

Sample rules

Shadow Copies Deletion Using Operating Systems Utilities

Description

Shadow Copies deletion using operating systems utilities

Detection logic

condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
selection1_cli:
  CommandLine|contains|all:
  - shadow
  - delete
selection1_img:
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \wmic.exe
  - \vssadmin.exe
  - \diskshadow.exe
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll
  - wmic.exe
  - VSSADMIN.EXE
  - diskshadow.exe
selection2_cli:
  CommandLine|contains|all:
  - delete
  - catalog
  - quiet
selection2_img:
- Image|endswith: \wbadmin.exe
- OriginalFileName: WBADMIN.EXE
selection3_cli:
  CommandLine|contains:
  - unbounded
  - /MaxSize=
  CommandLine|contains|all:
  - resize
  - shadowstorage
selection3_img:
- Image|endswith: \vssadmin.exe
- OriginalFileName: VSSADMIN.EXE

Delete Volume Shadow Copies Via WMI With PowerShell

Description

Shadow Copies deletion using operating systems utilities via PowerShell

Detection logic

condition: selection
selection:
  Data|contains:
  - Delete()
  - Remove-WmiObject
  Data|contains|all:
  - Get-WmiObject
  - Win32_ShadowCopy