(YARA) YARA_SHADOW_COPY_DELETION
rule shadow_copy_deletion {
meta:
description = "Detect shadow copy deletion"
author = "ditekSHen/Unprotect"
strings:
$x1 = "cmd.exe /c \"vssadmin.exe Delete Shadows /all /quiet\"" fullword ascii
$x2 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
$cmd1 = "cmd /c \"WMIC.exe shadowcopy delet\"" ascii wide nocase
$cmd2 = "vssadmin.exe Delete Shadows /all" ascii wide nocase
$cmd3 = "Delete Shadows /all" ascii wide nocase
$cmd4 = "} recoveryenabled no" ascii wide nocase
$cmd5 = "} bootstatuspolicy ignoreallfailures" ascii wide nocase
$cmd6 = "wmic SHADOWCOPY DELETE" ascii wide nocase
$cmd7 = "\\Microsoft\\Windows\\SystemRestore\\SR\" /disable" ascii wide nocase
$cmd8 = "resize shadowstorage /for=c: /on=c: /maxsize=" ascii wide nocase
$cmd9 = "shadowcopy where \"ID='%s'\" delete" ascii wide nocase
$cmd10 = "wmic.exe SHADOWCOPY /nointeractive" ascii wide nocase
$cmd11 = "WMIC.exe shadowcopy delete" ascii wide nocase
$cmd12 = "Win32_Shadowcopy | ForEach-Object {$_.Delete();}" ascii wide nocase
$delr = /del \/s \/f \/q(( [A-Za-z]:\\(\*\.|[Bb]ackup))(VHD|bac|bak|wbcat|bkf)?)+/ ascii wide
$wp1 = "delete catalog -quiet" ascii wide nocase
$wp2 = "wbadmin delete backup" ascii wide nocase
$wp3 = "delete systemstatebackup" ascii wide nocase
condition:
(uint16(0) == 0x5a4d and 2 of ($cmd*) or (1 of ($cmd*) and 1 of ($wp*)) or #delr > 4) or (4 of them)
}
Associated Techniques
Technique Name | Technique ID's | Snippet(s) | OS |
---|---|---|---|
Volume Shadow Copy Service (VSC,VSS) Deletion | U0305 T1070.004 |
Matching Samples 10 most recent
Sample Name | Matching Techniques | First Seen | Last Seen |
---|---|---|---|
f9a5a72ead096594c5d59abe706e...0c3b4ebd7690f2eb114a37d1a7db | 6 | 2024-11-19 | 1 month, 1 week ago |
f2665f89ba53abd3deb81988c0d5...4053e77fc89b98b64a31a7504d77 | 6 | 2024-11-19 | 1 month, 1 week ago |
Created
June 20, 2022
Last Revised
June 20, 2022