Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect Malicious Usage of Recovery Tools to Delete Backup Files

Back
Id259de2c1-c546-4c6d-a17c-df639722f4d7
RulenameDetect Malicious Usage of Recovery Tools to Delete Backup Files
DescriptionThis analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.

https://attack.mitre.org/techniques/T1490/
SeverityHigh
TacticsImpact
TechniquesT1490
Required data connectorsCiscoSecureEndpoint
CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
TrendMicroApexOne
TrendMicroApexOneAma
VMwareCarbonBlack
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml
Version1.0.0
Arm template259de2c1-c546-4c6d-a17c-df639722f4d7.json
Deploy To Azure
_ASim_ProcessEvent
| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')
| where CommandLine has_all ('delete', 'shadow')
| union isfuzzy=True 
    (_ASim_ProcessEvent
    | where TargetProcessFilename =~ 'bcedit.exe'
    | where CommandLine has_all ('/set', 'recoveryenabled no')
    )
| project
    TimeGenerated,
    DvcHostname,
    DvcIpAddr,
    DvcDomain,
    TargetUsername,
    TargetUsernameType,
    TargetProcessName,
    TargetProcessId,
    CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - SecurityAlert
- connectorId: SentinelOne
  dataTypes:
  - SentinelOne_CL
- connectorId: VMwareCarbonBlack
  dataTypes:
  - CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
  dataTypes:
  - TMApexOneEvent
- connectorId: TrendMicroApexOneAma
  dataTypes:
  - TMApexOneEvent
status: Available
relevantTechniques:
- T1490
queryFrequency: 1h
id: 259de2c1-c546-4c6d-a17c-df639722f4d7
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Detect Malicious Usage of Recovery Tools to Delete Backup Files
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: DvcHostname
    identifier: HostName
  - columnName: DvcDomain
    identifier: DnsDomain
  - columnName: NTDomain
    identifier: NTDomain
  entityType: Host
- fieldMappings:
  - columnName: DvcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Username
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  - columnName: NTDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: TargetProcessId
    identifier: ProcessId
  - columnName: CommandLine
    identifier: CommandLine
  entityType: Process
description: |
  This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.
  https://attack.mitre.org/techniques/T1490/  
triggerThreshold: 0
tactics:
- Impact
tags:
- Schema: _ASim_ProcessEvent
  SchemaVersion: 0.1.4
query: |
  _ASim_ProcessEvent
  | where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')
  | where CommandLine has_all ('delete', 'shadow')
  | union isfuzzy=True 
      (_ASim_ProcessEvent
      | where TargetProcessFilename =~ 'bcedit.exe'
      | where CommandLine has_all ('/set', 'recoveryenabled no')
      )
  | project
      TimeGenerated,
      DvcHostname,
      DvcIpAddr,
      DvcDomain,
      TargetUsername,
      TargetUsernameType,
      TargetProcessName,
      TargetProcessId,
      CommandLine
  | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
  | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
  | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
  | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')  
kind: Scheduled
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}
  alertDescriptionFormat: 'A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files.'
version: 1.0.0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/259de2c1-c546-4c6d-a17c-df639722f4d7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/259de2c1-c546-4c6d-a17c-df639722f4d7')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files.",
          "alertDisplayNameFormat": "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}"
        },
        "alertRuleTemplateName": "259de2c1-c546-4c6d-a17c-df639722f4d7",
        "customDetails": null,
        "description": "This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.\nhttps://attack.mitre.org/techniques/T1490/\n",
        "displayName": "Detect Malicious Usage of Recovery Tools to Delete Backup Files",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DvcHostname",
                "identifier": "HostName"
              },
              {
                "columnName": "DvcDomain",
                "identifier": "DnsDomain"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DvcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Username",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "TargetProcessId",
                "identifier": "ProcessId"
              },
              {
                "columnName": "CommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml",
        "query": "_ASim_ProcessEvent\n| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')\n| where CommandLine has_all ('delete', 'shadow')\n| union isfuzzy=True \n    (_ASim_ProcessEvent\n    | where TargetProcessFilename =~ 'bcedit.exe'\n    | where CommandLine has_all ('/set', 'recoveryenabled no')\n    )\n| project\n    TimeGenerated,\n    DvcHostname,\n    DvcIpAddr,\n    DvcDomain,\n    TargetUsername,\n    TargetUsernameType,\n    TargetProcessName,\n    TargetProcessId,\n    CommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[1]), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[0]), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "tags": [
          {
            "Schema": "_ASim_ProcessEvent",
            "SchemaVersion": "0.1.4"
          }
        ],
        "techniques": [
          "T1490"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}