(YARA) YARA_SHADOW_COPY_DELETION
Created the . Updated 2 years, 2 months ago.
rule shadow_copy_deletion {
meta:
description = "Detect shadow copy deletion"
author = "ditekSHen/Unprotect"
strings:
$x1 = "cmd.exe /c \"vssadmin.exe Delete Shadows /all /quiet\"" fullword ascii
$x2 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
$cmd1 = "cmd /c \"WMIC.exe shadowcopy delet\"" ascii wide nocase
$cmd2 = "vssadmin.exe Delete Shadows /all" ascii wide nocase
$cmd3 = "Delete Shadows /all" ascii wide nocase
$cmd4 = "} recoveryenabled no" ascii wide nocase
$cmd5 = "} bootstatuspolicy ignoreallfailures" ascii wide nocase
$cmd6 = "wmic SHADOWCOPY DELETE" ascii wide nocase
$cmd7 = "\\Microsoft\\Windows\\SystemRestore\\SR\" /disable" ascii wide nocase
$cmd8 = "resize shadowstorage /for=c: /on=c: /maxsize=" ascii wide nocase
$cmd9 = "shadowcopy where \"ID='%s'\" delete" ascii wide nocase
$cmd10 = "wmic.exe SHADOWCOPY /nointeractive" ascii wide nocase
$cmd11 = "WMIC.exe shadowcopy delete" ascii wide nocase
$cmd12 = "Win32_Shadowcopy | ForEach-Object {$_.Delete();}" ascii wide nocase
$delr = /del \/s \/f \/q(( [A-Za-z]:\\(\*\.|[Bb]ackup))(VHD|bac|bak|wbcat|bkf)?)+/ ascii wide
$wp1 = "delete catalog -quiet" ascii wide nocase
$wp2 = "wbadmin delete backup" ascii wide nocase
$wp3 = "delete systemstatebackup" ascii wide nocase
condition:
(uint16(0) == 0x5a4d and 2 of ($cmd*) or (1 of ($cmd*) and 1 of ($wp*)) or #delr > 4) or (4 of them)
}
Associated Techniques
Technique Name | Technique ID's | Has Snippet(s) |
---|---|---|
Volume Shadow Copy Service (VSC,VSS) Deletion | U0305 T1070.004 |