{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/shadow-copy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["shadow-copy","anti-forensic","ransomware","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently delete shadow copies on Windows systems to hinder data recovery efforts. This tactic is often observed in ransomware attacks, where the ability to restore from backups is crucial for victims. This activity is typically carried out using legitimate system utilities such as vssadmin.exe or wmic.exe. Endpoint Detection and Response (EDR) agents are essential for detecting this activity. The use of command-line arguments containing \u0026quot;delete\u0026quot; and \u0026quot;shadow\u0026quot; are indicators of malicious intent. This behavior is particularly concerning as it directly impedes incident response and recovery capabilities, allowing attackers to maximize the impact of their operations. The detection focuses on process names and command-line arguments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through various means, such as exploiting vulnerabilities or phishing campaigns (not explicitly covered in source).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains elevated privileges on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses vssadmin.exe to list existing shadow copies: \u003ccode\u003evssadmin list shadows\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses vssadmin.exe to delete shadow copies: \u003ccode\u003evssadmin.exe delete shadows /all /quiet\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker may use wmic.exe to delete shadow copies: \u003ccode\u003ewmic.exe shadowcopy delete\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter deleting shadow copies, the attacker deploys ransomware or exfiltrates sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may further attempt to disable system recovery options to solidify their control.\u003c/li\u003e\n\u003cli\u003eThe final objective is to extort a ransom payment from the victim or sell stolen data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of shadow copies severely impairs a victim's ability to recover from ransomware attacks or data breaches. The inability to restore from shadow copies often forces organizations to pay ransom demands, leading to significant financial losses and reputational damage. The LockBit 3.0 ransomware group, among others, has been observed using this technique. This can also lead to data loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line arguments (Sysmon EventID 1).\u003c/li\u003e\n\u003cli\u003eEnable Windows Event Log Security logging, specifically event ID 4688, to capture process creation events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Shadow Copy Deletion via VSSAdmin\u0026quot; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Shadow Copy Deletion via WMIC\u0026quot; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of vssadmin.exe or wmic.exe executing with command-line arguments containing \u0026quot;delete\u0026quot; and \u0026quot;shadow\u0026quot;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-shadow-copy-deletion/","summary":"Attackers delete shadow copies using vssadmin.exe or wmic.exe to prevent data recovery, often preceding ransomware deployment or data exfiltration.","title":"Shadow Copy Deletion via VSSAdmin or WMIC","url":"https://feed.craftedsignal.io/briefs/2024-01-shadow-copy-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Shadow-Copy","version":"https://jsonfeed.org/version/1.1"}