Many of our publications lately have been devoted to various ransomware strains, and the rules for detecting Matrix ransomware characteristics will not help to identify Ragnar Locker or Maze. The malware is constantly changing: its authors change not only the IOCs known to security researchers but also the behavior to make threat hunting content useless against their ‘inventions’. In modern ransomware, almost everything is different: ways of infection, bypassing security solutions, disabling processes, additional functions, and persistence mechanisms. What unites them is only file encryption (in some cases – quite creatively) and erase of Shadow Copies.
And the last “feature” is the topic that our today’s mini-digest is dedicated to. There are many ways to remove or damage volume backups, and security researchers and cybercriminals are finding new methods to make it impossible to recover data after an attack. SOC Prime team released three new exclusive threat hunting rules to detect stomping Shadow Copies or their deletion.
Possible Stomping Shadow Copies (via imageload): https://tdm.socprime.com/tdm/info/9xzFEUJd0gNX/8GvGSnUBR-lx4sDxVANV/
Possible Stomping Shadow Copies (via cmdline): https://tdm.socprime.com/tdm/info/r9H5KNdiuwhl/2K7FSnUBTwmKwLA9VMSM/
Possible Shadow Copies Deletion (via powershell): https://tdm.socprime.com/tdm/info/23zs3NjeUSDA/jXPESnUBmo5uvpkjgSQ5/
Rules of this collection have translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint
Techniques: Inhibit System Recovery (T1490)
Also, check other rules that can detect such malicious activity at Threat Detection Marketplace: https://tdm.socprime.com/?logSourceTypes=&strictSearchActorTool=&mitreTagged=&contentViewType=&searchSubType=&searchValue=shadow+copies&searchProject=all&searchQueryFeatures=false