(YARA) YARA_SHADOW_COPY_DELETION

rule shadow_copy_deletion {
    meta:
      description = "Detect shadow copy deletion"
      author = "ditekSHen/Unprotect"

    strings:
        $x1 = "cmd.exe /c \"vssadmin.exe Delete Shadows /all /quiet\"" fullword ascii
        $x2 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
        $cmd1 = "cmd /c \"WMIC.exe shadowcopy delet\"" ascii wide nocase
        $cmd2 = "vssadmin.exe Delete Shadows /all" ascii wide nocase
        $cmd3 = "Delete Shadows /all" ascii wide nocase
        $cmd4 = "} recoveryenabled no" ascii wide nocase
        $cmd5 = "} bootstatuspolicy ignoreallfailures" ascii wide nocase
        $cmd6 = "wmic SHADOWCOPY DELETE" ascii wide nocase
        $cmd7 = "\\Microsoft\\Windows\\SystemRestore\\SR\" /disable" ascii wide nocase
        $cmd8 = "resize shadowstorage /for=c: /on=c: /maxsize=" ascii wide nocase
        $cmd9 = "shadowcopy where \"ID='%s'\" delete" ascii wide nocase
        $cmd10 = "wmic.exe SHADOWCOPY /nointeractive" ascii wide nocase
        $cmd11 = "WMIC.exe shadowcopy delete" ascii wide nocase
        $cmd12 = "Win32_Shadowcopy | ForEach-Object {$_.Delete();}" ascii wide nocase
        $delr = /del \/s \/f \/q(( [A-Za-z]:\\(\*\.|[Bb]ackup))(VHD|bac|bak|wbcat|bkf)?)+/ ascii wide
        $wp1 = "delete catalog -quiet" ascii wide nocase
        $wp2 = "wbadmin delete backup" ascii wide nocase
        $wp3 = "delete systemstatebackup" ascii wide nocase
      
    condition:
        (uint16(0) == 0x5a4d and 2 of ($cmd*) or (1 of ($cmd*) and 1 of ($wp*)) or #delr > 4) or (4 of them)
}

Associated Techniques

Technique Name	Technique ID's	Snippet(s)	OS
Volume Shadow Copy Service (VSC,VSS) Deletion	U0305 T1070.004

Matching Samples 10 most recent

Sample Name	Matching Techniques	First Seen	Last Seen
f9a5a72ead096594c5d59abe706e...0c3b4ebd7690f2eb114a37d1a7db	6	2024-11-19	3 days, 18 hours ago
f2665f89ba53abd3deb81988c0d5...4053e77fc89b98b64a31a7504d77	6	2024-11-19	3 days, 18 hours ago

View All

Created

June 20, 2022

Last Revised

June 20, 2022