detection.wiki

Detection rules › Sigma

VSS backup deletion via WMI (Powershell)

Status
experimental
Severity
high
Log source
product windows, category ['ps_module', 'ps_classic_script', 'ps_script']
Author
mdecrevoisier
Source
github.com/mdecrevoisier/SIGMA-detection-rules

Detects scenarios where an attacker attempts to delete existing VSS backup via WMI.

MITRE ATT&CK coverage

TacticTechniques
ImpactT1490 Inhibit System Recovery

Event coverage

ProviderEventTitle
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
PowerShellEvent ID 800Event ID 800

Rule body yaml

title: VSS backup deletion via WMI (Powershell)
description: Detects scenarios where an attacker attempts to delete existing VSS backup via WMI.
references:
- https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0040-Impact/T1490-Inhibit%20System%20Recovery
- https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks
- https://www.itechtics.com/volume-shadow-copies/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin
- https://www.picussecurity.com/resource/blog/technique-to-delete-volume-shadow-copies-deviceiocontrol
- https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
- https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html
tags:
- attack.impact
- attack.t1490
author: mdecrevoisier
status: experimental
logsource:
  product: windows
  category:
    - ps_module
    - ps_classic_script
    - ps_script
detection: # full command: "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
  selection_powershell_native:
    EventID: 800
    EventData|contains:
      - Get-WmiObject
      - Gwmi # Short version of previous object
      - Get-CimInstance
      - Gcim # Short version of previous object
    EventData|contains: Win32_Shadowcopy
    EventData|contains:
      - Delete
      - Remove-WmiObject
      - Rwmi # Short version of previous object
      - Remove-CimInstance
      - Rcim # Short version of previous object

  selection_powershell_modern:
    EventID: 4103
    Payload|contains:
      - Get-WmiObject
      - Gwmi # Short version of previous object
      - Get-CimInstance
      - Gcim # Short version of previous object
    Payload|contains: Win32_Shadowcopy
    Payload|contains:
      - Delete
      - Remove-WmiObject
      - Rwmi # Short version of previous object
      - Remove-CimInstance
      - Rcim # Short version of previous object

  selection_powershell_block:
    EventID: 4104
    ScriptBlockText|contains:
      - Get-WmiObject
      - Gwmi # Short version of previous object
      - Get-CimInstance
      - Gcim # Short version of previous object
    ScriptBlockText|contains: Win32_Shadowcopy
    ScriptBlockText|contains:
      - Delete
      - Remove-WmiObject
      - Rwmi # Short version of previous object
      - Remove-CimInstance
      - Rcim # Short version of previous object

  condition: 1 of selection*
falsepositives:
- None
level: high

Stages and Predicates

Stage 0: condition

1 of selection*

Stage 1: selection_powershell_native

selection_powershell_native:
  EventID: 800
  EventData|contains:
    - Get-WmiObject
    - Gwmi
    - Get-CimInstance
    - Gcim
  EventData|contains: Win32_Shadowcopy
  EventData|contains:
    - Delete
    - Remove-WmiObject
    - Rwmi
    - Remove-CimInstance
    - Rcim

Stage 2: selection_powershell_modern

selection_powershell_modern:
  EventID: 4103
  Payload|contains:
    - Get-WmiObject
    - Gwmi
    - Get-CimInstance
    - Gcim
  Payload|contains: Win32_Shadowcopy
  Payload|contains:
    - Delete
    - Remove-WmiObject
    - Rwmi
    - Remove-CimInstance
    - Rcim

Stage 3: selection_powershell_block

selection_powershell_block:
  EventID: 4104
  ScriptBlockText|contains:
    - Get-WmiObject
    - Gwmi
    - Get-CimInstance
    - Gcim
  ScriptBlockText|contains: Win32_Shadowcopy
  ScriptBlockText|contains:
    - Delete
    - Remove-WmiObject
    - Rwmi
    - Remove-CimInstance
    - Rcim

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventDatamatch
  • Delete
  • Rcim
  • Remove-CimInstance
  • Remove-WmiObject
  • Rwmi
Payloadmatch
  • Delete
  • Rcim
  • Remove-CimInstance
  • Remove-WmiObject
  • Rwmi
ScriptBlockTextmatch
  • Delete corpus 2 (sigma 1, splunk 1)
  • Rcim corpus 2 (sigma 2)
  • Remove-CimInstance corpus 2 (sigma 2)
  • Remove-WmiObject corpus 2 (sigma 2)
  • Rwmi corpus 2 (sigma 2)