- Home
- Play books
- Windows - Shadow Copy deletion remediation
Windows - Shadow Copy deletion remediation
In this page
Playbook Description
This playbook investigates shadow copy deletions by analyzing file reputation, process trees, and alerts. Upon confirming malicious intent, it automatically logs off the user and terminates the offending process. Finally, it scans for encrypted files to flag ransomware signatures, assesses the scope of the impact, and notifies the security team to initiate immediate recovery and containment protocols.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Defense Evasion(TA0005) | Obfuscated Files or Information(T1027) | Steganography(T1027.003) |
MITRE D3FEND mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| (Restore) D3-Restore | (Restore Object) D3-RO | (Restore Database) D3-RD |
Playbook input type
Alert
Prerequisites
- Windows credentials: Navigate to Settings -> Devices -> Windows Devices.
- Provide/update the credentials of the respective Windows device with admin privileges.
Playbook creation input
- connectionName - Provide the VirusTotal connection name for executing the VirusTotal APIs.
Dependencies
Extensions:
- virustotal_fileReputation.
Utility:
- utility_getRequiredTime
- utility_convertTimeToUTC
- utility_extractFieldFromList
- windows_detectMaliciousProcessChain
- utility_convertToString
- virustotal_extractRansomwareByHash
Scripts
| Script Name | Description | Arguments |
|---|---|---|
| StopProcess.ps1 | Stops processes by PID or file path. Supports hex PIDs and comma-separated inputs. Skips protected PowerShell executables. | ProcessIdentifiers |
| FetchEncryptedFiles.ps1 | Analyzes files for encryption indicators using entropy calculation, printable character ratio, and file header magic bytes | FilePaths, EntropyThreshold |
| TerminateSession.ps1 | Logs off one or more user sessions using logoff , with optional RDP-only filtering by remote IP | UserNames, RemoteIP |
| FetchShadowCopies.ps1 | Retrieves all Volume Shadow Copy (VSS) snapshots on the system via WMI | - |
| AddSoftwareRestrictionPolicy.ps1 | Creates Software Restriction Policy (SRP) rules in the Windows registry to block execution of programs from specified paths. For each path, it checks if an SRP rule already exists — if so and it's not set to "Disallowed", it updates the existing rule; otherwise it creates a new GUID-keyed rule under HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths. Enables SRP enforcement (TransparentEnabled=1, PolicyScope=0) on each run. | RestrictedPath |
Connections
VirusTotal connection - Need to connect to VirusTotal API and fetch access key to check the malware IP/URL/file details.
Sub playbooks
- Log360Cloud - Create or update incident
- Windows - File enrichment
- Windows Defender quick scan
Execution workflow
Investigation:
- Fetches shadow copies.
- Enriches file details via VirusTotal.
- Builds process execution tree and check associated critical alerts.
- Fetches process execution tree and check for malicious chain.
Decision logic:
- Proceeds to remediation based on the following conditions:
- If no shadow copy details found, AND
- Has High risk OR Medium risk score in reputation, OR
- Process tree flow is malicious, AND
- Critical alerts are found
Remediation:
- If malicious, logs off the user.
- Terminates and blocks the process.
- Fetches the files accessed after attack.
- Checks encrypted files and fetches file hash reputation.
- Extracts ransomware names.
Post execution procedure
Restrict privileges for other users except admin.
