Detect Malicious Usage of Recovery Tools to Delete Backup Files
| Id | 259de2c1-c546-4c6d-a17c-df639722f4d7 |
| Rulename | Detect Malicious Usage of Recovery Tools to Delete Backup Files |
| Description | This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files. https://attack.mitre.org/techniques/T1490/ |
| Severity | High |
| Tactics | Impact |
| Techniques | T1490 |
| Required data connectors | CiscoSecureEndpoint CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne TrendMicroApexOne TrendMicroApexOneAma VMwareCarbonBlack |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml |
| Version | 1.0.0 |
| Arm template | 259de2c1-c546-4c6d-a17c-df639722f4d7.json |
_ASim_ProcessEvent
| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')
| where CommandLine has_all ('delete', 'shadow')
| union isfuzzy=True
(_ASim_ProcessEvent
| where TargetProcessFilename =~ 'bcedit.exe'
| where CommandLine has_all ('/set', 'recoveryenabled no')
)
| project
TimeGenerated,
DvcHostname,
DvcIpAddr,
DvcDomain,
TargetUsername,
TargetUsernameType,
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')
queryFrequency: 1h
eventGroupingSettings:
aggregationKind: AlertPerResult
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
tags:
- Schema: _ASim_ProcessEvent
SchemaVersion: 0.1.4
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml
query: |
_ASim_ProcessEvent
| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')
| where CommandLine has_all ('delete', 'shadow')
| union isfuzzy=True
(_ASim_ProcessEvent
| where TargetProcessFilename =~ 'bcedit.exe'
| where CommandLine has_all ('/set', 'recoveryenabled no')
)
| project
TimeGenerated,
DvcHostname,
DvcIpAddr,
DvcDomain,
TargetUsername,
TargetUsernameType,
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
- identifier: NTDomain
columnName: NTDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DvcIpAddr
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: TargetProcessId
- identifier: CommandLine
columnName: CommandLine
relevantTechniques:
- T1490
name: Detect Malicious Usage of Recovery Tools to Delete Backup Files
description: |
This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.
https://attack.mitre.org/techniques/T1490/
severity: High
queryPeriod: 1h
alertDetailsOverride:
alertDescriptionFormat: 'A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files.'
alertDisplayNameFormat: Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}
triggerOperator: gt
kind: Scheduled
status: Available
tactics:
- Impact
id: 259de2c1-c546-4c6d-a17c-df639722f4d7
version: 1.0.0
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/259de2c1-c546-4c6d-a17c-df639722f4d7')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/259de2c1-c546-4c6d-a17c-df639722f4d7')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files.",
"alertDisplayNameFormat": "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}"
},
"alertRuleTemplateName": "259de2c1-c546-4c6d-a17c-df639722f4d7",
"customDetails": null,
"description": "This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.\nhttps://attack.mitre.org/techniques/T1490/\n",
"displayName": "Detect Malicious Usage of Recovery Tools to Delete Backup Files",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DvcHostname",
"identifier": "HostName"
},
{
"columnName": "DvcDomain",
"identifier": "DnsDomain"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DvcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Username",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "TargetProcessId",
"identifier": "ProcessId"
},
{
"columnName": "CommandLine",
"identifier": "CommandLine"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml",
"query": "_ASim_ProcessEvent\n| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')\n| where CommandLine has_all ('delete', 'shadow')\n| union isfuzzy=True \n (_ASim_ProcessEvent\n | where TargetProcessFilename =~ 'bcedit.exe'\n | where CommandLine has_all ('/set', 'recoveryenabled no')\n )\n| project\n TimeGenerated,\n DvcHostname,\n DvcIpAddr,\n DvcDomain,\n TargetUsername,\n TargetUsernameType,\n TargetProcessName,\n TargetProcessId,\n CommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[1]), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[0]), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"tags": [
{
"Schema": "_ASim_ProcessEvent",
"SchemaVersion": "0.1.4"
}
],
"techniques": [
"T1490"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}