Backup deletion | SOC Hunt Feed

Hunt Hypothesis

The hypothesis is that an adversary is using wmic.exe to delete shadow copy snapshots as part of a preparation step before encrypting files, potentially to evade detection or data recovery. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of ransomware activity and prevent data loss.

KQL Query

DeviceProcessEvents
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete"
| project DeviceId, Timestamp, InitiatingProcessFileName, FileName,
ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFileName

Analytic Rule Definition

id: fc2c12c1-ee93-45c2-9a1f-f8a143ec3eb1
name: Backup deletion
description: |
  This query identifies use of wmic.exe to delete shadow copy snapshots prior to encryption.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Ransomware
query: |
  DeviceProcessEvents
  | where FileName =~ "wmic.exe"
  | where ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete"
  | project DeviceId, Timestamp, InitiatingProcessFileName, FileName,
  ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFileName

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Ransomware

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/Backup deletion.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task uses wmic.exe to clean up old shadow copies as part of system maintenance.
Filter/Exclusion: Check for the presence of a known maintenance task name (e.g., Cleanup-ShadowCopies) and filter by process name wmic.exe with a command line containing delete and shadowcopy.
Scenario: Antivirus or Endpoint Protection Scan
Description: An endpoint protection tool uses wmic.exe to delete shadow copies during a full system scan to ensure integrity checks.
Filter/Exclusion: Exclude processes where the parent process is a known antivirus or endpoint protection tool (e.g., mpsvc.exe, mcafee.exe, bitdefender.exe).
Scenario: User-Initiated Disk Cleanup
Description: A user runs a disk cleanup tool that internally uses wmic.exe to remove shadow copies as part of free disk space management.
Filter/Exclusion: Filter by user context (e.g., username or userdomain) and check for command lines related to disk cleanup tools (e.g., cleanmgr.exe).
Scenario: System Image Backup Job
Description: A system image backup job uses wmic.exe to delete old shadow copies to free up space before creating a new backup.
Filter/Exclusion: Check for the presence of a known backup job name (e.g., DailySystemBackup) and filter by process name wmic.exe with a command line containing delete and shadowcopy.
Scenario: Windows Update Cleanup
Description: Windows Update or a related service uses wmic.exe to remove shadow copies as part of the update cleanup process.
Filter/Exclusion: Filter by process name `w