IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Volume Shadow Copy Deletion via PowerShelledit
Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Impact Added (Elastic Stack release): 7.16.0
Last modified (Elastic Stack release): 7.16.0
Rule authors: Elastic, Austin Songer
Rule license: Elastic License v2
Rule queryedit
process where event.type in ("start", "process_started") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : ("*Get-WmiObject*", "*gwmi*", "*Get- CimInstance*", "*gcim*") and process.args : ("*Win32_ShadowCopy*") and process.args : ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*", "*Remove-CimInstance*", "*rcim*")
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
-
Technique:
- Name: Inhibit System Recovery
- ID: T1490
- Reference URL: https://attack.mitre.org/techniques/T1490/