Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script

About the rule

Rule Type

Standard

Rule Description

Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script is a scenario where an executable process uses PowerShell along with Get -WMIObject, to delete Windows Volume Shadow Copies to affect recovery methods and forensic analysis. This method is mostly employed by ransomware strains like Sodinokibi, and REvil.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access (through phishing) → Execution → Privilege Escalation → Command and Control → Impact

Impact

• Execution of PowerShell script to drop payloads
• The PowerShell script uses a known UAC bypass technique to elevate privileges, allowing full access to system.
• Attacker uses the PowerShell cmdlet Get-WmiObject Win32_ShadowCopy followed by a WMI method invocation to delete all volume shadow copies on the system.
• Files are encrypted and a ransom note gets displayed.

Rule Requirement

Prerequisites

• Log in to the Group Policy Management Console (GPMC) with domain admin credentials.
• In the Group Policy Management Editor, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell and enable Turn on Module Logging.
• In the Options pane, click on Show, and in the Module Name, enter * to record all modules, and press OK.
• In the Group Policy Management Editor, go to Computer Configuration and Turn on PowerShell Script Block Logging.
• Create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Inhibit System Recovery (T1490)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

PR.DS-11: Backups of data are created, protected, maintained, and tested

This standard security ensures that security administrators must schedule regular backups, protect them from unauthorized access by encryption, and test their integrity to ensure complete and safe restoration.

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

Security administrators have to continuously monitor all the network and its services in real-time using SIEM tools and identify the unusual behavior during the process of PowerShell execution along with Get -WMIObject. Enforce the policies on the web traffic to ensure the network security.

Author

Tim Rauch

Future actions

Known False Positives

A well known false positive scenario is when a legitimate security tool runs a scheduled PowerShell script that uses WMI commands to clear outdated or unnecessary shadow copies to free up disk space or prepare the system for a full backup.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify the event and check if the flagged incident is new or part of an existing one.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and kill or terminate the malicious process.
4. Reconfiguration: Update the network policies and port configurations and continuously monitor traffic trends in the network.

Mitigation