Adversaries may delete shadow copies to prevent data recovery and obfuscate their malicious activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential ransomware operations early and mitigate data loss.
KQL Query
let CommonRansomwareExecutionCommands = dynamic([@'vssadmin.exe delete shadows /all /quiet',
@'wmic.exe shadowcopy delete', @'wbadmin delete catalog -quiet',
@'Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}',
@'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk',
@'wbadmin delete systemstatebackup -keepVersions:0',
@'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable',
@'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1',
@'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f',
@'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f',
@'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f',
@'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f',
@'reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f >nul 2>&1',
@'reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f >nul 2>&1',
@'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f >nul 2>&1',
@'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1']);
DeviceProcessEvents
| where ProcessCommandLine has_any (CommonRansomwareExecutionCommands)
| project-reorder Timestamp, ProcessCommandLine, DeviceName, AccountName
id: ff9a1c12-e448-55ff-a576-7f53caa32044
name: Shadow Copy Deletions
description: |
This rule detects when Shadow Copies are being deleted. This is a know actions that is performed by TA.
This query detects know commands that have been used by the ransomware actors.
Some information from Mitre Attack:
https://attack.mitre.org/techniques/T1490/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Ransomware
relevantTechniques:
- T1490
query: |
let CommonRansomwareExecutionCommands = dynamic([@'vssadmin.exe delete shadows /all /quiet',
@'wmic.exe shadowcopy delete', @'wbadmin delete catalog -quiet',
@'Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}',
@'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk',
@'wbadmin delete systemstatebackup -keepVersions:0',
@'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable',
@'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1',
@'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f',
@'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f',
@'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f',
@'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f',
@'reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f >nul 2>&1',
@'reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f >nul 2>&1',
@'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f >nul 2>&1',
@'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1']);
DeviceProcessEvents
| where ProcessCommandLine has_any (CommonRansomwareExecutionCommands)
| project-reorder Timestamp, ProcessCommandLine, DeviceName, AccountName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountName
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task Deleting Shadow Copies
Description: A legitimate system maintenance task, such as vssadmin or vssutil, is configured to delete shadow copies as part of disk cleanup or system optimization.
Filter/Exclusion: Check for the presence of vssadmin or vssutil in the command line, and filter out processes initiated by scheduled tasks with known maintenance purposes.
Scenario: Admin Task to Remove Old Shadow Copies
Description: An administrator manually runs a command like vssadmin delete shadows to remove outdated shadow copies to free up disk space.
Filter/Exclusion: Filter out commands executed by user accounts with administrative privileges and check for the presence of vssadmin or vssutil in the command line.
Scenario: Backup Software Performing Shadow Copy Cleanup
Description: A backup tool such as Veeam, Acronis, or Backup Exec may delete shadow copies as part of its cleanup process after a backup job completes.
Filter/Exclusion: Exclude processes associated with known backup software or check for the presence of backup-related service names or command-line arguments.
Scenario: User-Initiated Disk Space Management
Description: A user runs a disk cleanup tool or manually deletes shadow copies using the vssadmin command to free up disk space.
Filter/Exclusion: Filter out commands executed by non-admin users or check for the presence of vssadmin in the command line with a known cleanup purpose.
Scenario: Antivirus or Security Software Removing Shadow Copies
Description: Some security tools may delete shadow copies as part of a scan or to prevent malware from hiding within shadow copies.
Filter/Exclusion: Exclude processes associated with known antivirus or endpoint protection software, or check for the presence of security tool