Obfuscated PowerShell with Shadow Copy Wipe
Last updated on:
In this page
About the rule
Rule Type
Advanced
Rule Description
This rule detects a suspicious behavior pattern where an attacker executes an encoded PowerShell command commonly used for obfuscation and shortly after deletes volume shadow copies using vssadmin or wmic. This behavior is typical of ransomware or destructive malware attempting to prevent file recovery. Immediate investigation and isolation of the host are recommended.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND (PROCESSNAME endswith "vssadmin.exe,wmic.exe" AND COMMANDLINE contains "delete,resize,shadow")
Action2:
actionname = "Hyper detected" AND (FILEPATH contains "powershell_ise.exe,powershell.exe,pwsh.exe" AND COMMANDLINE contains "-EncodedCommand,-Encoded,-enc,-e,/EncodedCommand:,/enc:,/e:,-e:,-enc:") AND ENDPOINT_NAME = Action1.HOSTNAME AND DOMAIN = Action1.DOMAIN AND USERNAME = Action1.USERNAME
sequence:Action1 followedby Action2 within 60m
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID,Action2.HOSTNAME,Action2.ENDPOINT_NAME,Action2.STATUS,Action2.SEVERITYLEVEL,Action2.TYPE,Action2.THREAT,Action2.FILEPATH,Action2.USERNAME,Action2.PROCESSNAME,Action2.DOMAIN
Detection
Execution Mode
realtime
Log Sources
Bitdefender


