diff --git a/analytics/CAR-2020-04-001.yaml b/analytics/CAR-2020-04-001.yaml index a47b6301..09b3b025 100644 --- a/analytics/CAR-2020-04-001.yaml +++ b/analytics/CAR-2020-04-001.yaml @@ -10,68 +10,4 @@ analytic_types: - TTP id: CAR-2020-04-001 description: |- - The Windows [Volume Shadow Copy Service](https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service) is a built-in OS feature that can be used to create backup copies of files and volumes. - - Adversaries may delete these shadow copies, typically through the usage of system utilities such as vssadmin.exe or wmic.exe, in order prevent file and data recovery. This technique is commonly employed for this purpose by ransomware. -coverage: - - technique: T1490 - tactics: - - TA0040 - coverage: Medium -implementations: - - name: Vssadmin.exe delete shadows - description: This pseudocode looks for process event creates around the vssadmin.exe utility with a specific set of command-line parameters for deleting shadow copies. - code: |- - processes = search Process:Create - vssadmin_processes = filter processes where ( - command_line = "*delete shadows*" and - image_path = "C:\Windows\System32\vssadmin.exe") - output vssadmin_processes - type: Pseudocode - - name: WMIC shadowcopy delete - description: This pseudocode looks for process event creates around wmic.exe with a specific set of command-line parameters for deleting shadow copies. - code: |- - processes = search Process:Create - wmic_processes = filter processes where ( - command_line = "*shadowcopy delete*" and - image_path = "C:\Windows\*\wmic.exe") - output wmic_processes - type: Pseudocode - - name: Vssadmin.exe delete shadows - description: Splunk version of the CAR pseudocode. - code: |- - index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\System32\\vssadmin.exe" CommandLine="*delete shadows*" - type: Splunk - data_model: Sysmon native - - name: WMIC shadowcopy delete - description: Splunk version of the CAR pseudocode. - code: |- - index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\wmic.exe" CommandLine="*shadowcopy delete*" - type: Splunk - data_model: Sysmon native - - name: Vssadmin.exe delete shadows - description: An [EQL](https://eqllib.readthedocs.io/en/latest/analytics/d3a327b6-c517-43f2-8e97-1f06b7370705.html) version of the CAR pseudocode. - type: EQL - data_model: EQL native - - name: WMIC shadowcopy delete - description: An [EQL](https://eqllib.readthedocs.io/en/latest/analytics/7163f069-a756-4edc-a9f2-28546dcb04b0.html) version of the CAR pseudocode. - type: EQL - data_model: EQL native - - name: Vssadmin.exe delete shadows & WMIC shadowcopy delete - description: A [Sigma](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml) version of the CAR pseudocode for both vssadmin.exe and wmic.exe approaches. - type: Sigma - data_model: Sigma native - - description: LogPoint version of the above pseudocodes. - code: |- - norm_id=WindowsSysmon event_id=1 ((image="C:\Windows\*\wmic.exe" command="*shadowcopy delete*") OR (image="C:\Windows\System32\vssadmin.exe" command="*delete shadows*")) - type: LogPoint - data_mode: LogPoint native -data_model_references: - - process/create/image_path - - process/create/command_line -references: - - This [Red Canary](https://redcanary.com/blog/its-all-fun-and-games-until-ransomware-deletes-the-shadow-copies/) blog post covers both vssadmin.exe and wmic.exe approaches as well as potential others. -d3fend_mappings: - - iri: d3f:ProcessSpawnAnalysis - id: D3-PSA - label: Process Spawn Analysis + This analytic has been deprecated in favor of [CAR-2021-01-009](/analytics/CAR-2021-01-009), which covers the same technique with some additional detections.