-
Notifications
You must be signed in to change notification settings - Fork 3
/
Detect_Suspicious_Usage_Of_VSSADMIN.EXE.md.txt
39 lines (32 loc) · 1.12 KB
/
Detect_Suspicious_Usage_Of_VSSADMIN.EXE.md.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Detect Suspicious Usage Of VSSADMIN.EXE
## Author
McAfee
## Description
This rule detects deletion of volume shadow copies using vssadmin.exe process. This behavior is observed with a few ransomware actors.
## Rule Class
Processes
## Rule TCL
```tcl
The original rule:
Rule {
Target {
Match PROCESS {
Include OBJECT_NAME { -v "vssadmin.exe" }
Include PROCESS_CMD_LINE { -v "* delete shadows * /all * /quiet *" }
Include PROCESS_CMD_LINE { -v "* delete shadows * /all /quiet" }
Include PROCESS_CMD_LINE { -v "* delete shadows /all /quiet" }
Include PROCESS_CMD_LINE { -v "* delete shadows * /quiet /all" }
Include PROCESS_CMD_LINE { -v "* delete shadows * /quiet * /all *" }
Include PROCESS_CMD_LINE { -v "* delete shadows /quiet /all" }
Include -access "CREATE"
}
}
}
```
## Trigger
NA
## Tested Platforms
OS: Windows 10 20H1 x64 and x86
ENS: 10.7.0 November'20 update
## Notes
Customers are advised to fine-tune the rule in their environment or disable the signature if there are false positives.