Obfuscated PowerShell with Shadow Copy Wipe

Last updated on:

About the rule

Rule Type

Advanced

Rule Description

This rule detects a suspicious behavior pattern where an attacker executes an encoded PowerShell command commonly used for obfuscation and shortly after deletes volume shadow copies using vssadmin or wmic. This behavior is typical of ransomware or destructive malware attempting to prevent file recovery. Immediate investigation and isolation of the host are recommended.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Process started" AND (PROCESSNAME endswith "vssadmin.exe,wmic.exe" AND COMMANDLINE contains "delete,resize,shadow") Action2: actionname = "Hyper detected" AND (FILEPATH contains "powershell_ise.exe,powershell.exe,pwsh.exe" AND COMMANDLINE contains "-EncodedCommand,-Encoded,-enc,-e,/EncodedCommand:,/enc:,/e:,-e:,-enc:") AND ENDPOINT_NAME = Action1.HOSTNAME AND DOMAIN = Action1.DOMAIN AND USERNAME = Action1.USERNAME sequence:Action1 followedby Action2 within 60m select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID,Action2.HOSTNAME,Action2.ENDPOINT_NAME,Action2.STATUS,Action2.SEVERITYLEVEL,Action2.TYPE,Action2.THREAT,Action2.FILEPATH,Action2.USERNAME,Action2.PROCESSNAME,Action2.DOMAIN

Detection

Execution Mode

realtime

Log Sources

Bitdefender