Detect Malicious Usage of Recovery Tools to Delete Backup Files
| Id | 259de2c1-c546-4c6d-a17c-df639722f4d7 |
| Rulename | Detect Malicious Usage of Recovery Tools to Delete Backup Files |
| Description | This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files. https://attack.mitre.org/techniques/T1490/ |
| Severity | High |
| Tactics | Impact |
| Techniques | T1490 |
| Required data connectors | CiscoSecureEndpoint CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne TrendMicroApexOne TrendMicroApexOneAma VMwareCarbonBlack |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml |
| Version | 1.0.0 |
| Arm template | 259de2c1-c546-4c6d-a17c-df639722f4d7.json |
_ASim_ProcessEvent
| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')
| where CommandLine has_all ('delete', 'shadow')
| union isfuzzy=True
(_ASim_ProcessEvent
| where TargetProcessFilename =~ 'bcedit.exe'
| where CommandLine has_all ('/set', 'recoveryenabled no')
)
| project
TimeGenerated,
DvcHostname,
DvcIpAddr,
DvcDomain,
TargetUsername,
TargetUsernameType,
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')
relevantTechniques:
- T1490
queryPeriod: 1h
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: CrowdStrikeFalconEndpointProtection
- dataTypes:
- SecurityAlert
connectorId: MicrosoftThreatProtection
- dataTypes:
- SentinelOne_CL
connectorId: SentinelOne
- dataTypes:
- CarbonBlackEvents_CL
connectorId: VMwareCarbonBlack
- dataTypes:
- CiscoSecureEndpoint_CL
connectorId: CiscoSecureEndpoint
- dataTypes:
- TMApexOneEvent
connectorId: TrendMicroApexOne
- dataTypes:
- TMApexOneEvent
connectorId: TrendMicroApexOneAma
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerThreshold: 0
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
- identifier: NTDomain
columnName: NTDomain
entityType: Host
- fieldMappings:
- identifier: Address
columnName: DvcIpAddr
entityType: IP
- fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
entityType: Account
- fieldMappings:
- identifier: ProcessId
columnName: TargetProcessId
- identifier: CommandLine
columnName: CommandLine
entityType: Process
name: Detect Malicious Usage of Recovery Tools to Delete Backup Files
status: Available
alertDetailsOverride:
alertDisplayNameFormat: Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}
alertDescriptionFormat: 'A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files.'
tags:
- Schema: _ASim_ProcessEvent
SchemaVersion: 0.1.4
query: |
_ASim_ProcessEvent
| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')
| where CommandLine has_all ('delete', 'shadow')
| union isfuzzy=True
(_ASim_ProcessEvent
| where TargetProcessFilename =~ 'bcedit.exe'
| where CommandLine has_all ('/set', 'recoveryenabled no')
)
| project
TimeGenerated,
DvcHostname,
DvcIpAddr,
DvcDomain,
TargetUsername,
TargetUsernameType,
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')
queryFrequency: 1h
id: 259de2c1-c546-4c6d-a17c-df639722f4d7
severity: High
description: |
This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.
https://attack.mitre.org/techniques/T1490/
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml
kind: Scheduled
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/259de2c1-c546-4c6d-a17c-df639722f4d7')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/259de2c1-c546-4c6d-a17c-df639722f4d7')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files.",
"alertDisplayNameFormat": "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}"
},
"alertRuleTemplateName": "259de2c1-c546-4c6d-a17c-df639722f4d7",
"customDetails": null,
"description": "This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.\nhttps://attack.mitre.org/techniques/T1490/\n",
"displayName": "Detect Malicious Usage of Recovery Tools to Delete Backup Files",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DvcHostname",
"identifier": "HostName"
},
{
"columnName": "DvcDomain",
"identifier": "DnsDomain"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DvcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Username",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "TargetProcessId",
"identifier": "ProcessId"
},
{
"columnName": "CommandLine",
"identifier": "CommandLine"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml",
"query": "_ASim_ProcessEvent\n| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')\n| where CommandLine has_all ('delete', 'shadow')\n| union isfuzzy=True \n (_ASim_ProcessEvent\n | where TargetProcessFilename =~ 'bcedit.exe'\n | where CommandLine has_all ('/set', 'recoveryenabled no')\n )\n| project\n TimeGenerated,\n DvcHostname,\n DvcIpAddr,\n DvcDomain,\n TargetUsername,\n TargetUsernameType,\n TargetProcessName,\n TargetProcessId,\n CommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[1]), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[0]), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"tags": [
{
"Schema": "_ASim_ProcessEvent",
"SchemaVersion": "0.1.4"
}
],
"techniques": [
"T1490"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}