Detect Malicious Usage of Recovery Tools to Delete Backup Files
| Id | 259de2c1-c546-4c6d-a17c-df639722f4d7 |
| Rulename | Detect Malicious Usage of Recovery Tools to Delete Backup Files |
| Description | This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files. https://attack.mitre.org/techniques/T1490/ |
| Severity | High |
| Tactics | Impact |
| Techniques | T1490 |
| Required data connectors | CiscoSecureEndpoint CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne TrendMicroApexOne TrendMicroApexOneAma VMwareCarbonBlack |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml |
| Version | 1.0.0 |
| Arm template | 259de2c1-c546-4c6d-a17c-df639722f4d7.json |
_ASim_ProcessEvent
| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')
| where CommandLine has_all ('delete', 'shadow')
| union isfuzzy=True
(_ASim_ProcessEvent
| where TargetProcessFilename =~ 'bcedit.exe'
| where CommandLine has_all ('/set', 'recoveryenabled no')
)
| project
TimeGenerated,
DvcHostname,
DvcIpAddr,
DvcDomain,
TargetUsername,
TargetUsernameType,
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')
id: 259de2c1-c546-4c6d-a17c-df639722f4d7
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: AlertPerResult
severity: High
alertDetailsOverride:
alertDescriptionFormat: 'A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files.'
alertDisplayNameFormat: Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}
relevantTechniques:
- T1490
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: SentinelOne
dataTypes:
- SentinelOne_CL
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
- connectorId: TrendMicroApexOneAma
dataTypes:
- TMApexOneEvent
tags:
- SchemaVersion: 0.1.4
Schema: _ASim_ProcessEvent
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
- identifier: NTDomain
columnName: NTDomain
entityType: Host
- fieldMappings:
- identifier: Address
columnName: DvcIpAddr
entityType: IP
- fieldMappings:
- identifier: Name
columnName: Username
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: NTDomain
columnName: NTDomain
entityType: Account
- fieldMappings:
- identifier: ProcessId
columnName: TargetProcessId
- identifier: CommandLine
columnName: CommandLine
entityType: Process
version: 1.0.0
query: |
_ASim_ProcessEvent
| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')
| where CommandLine has_all ('delete', 'shadow')
| union isfuzzy=True
(_ASim_ProcessEvent
| where TargetProcessFilename =~ 'bcedit.exe'
| where CommandLine has_all ('/set', 'recoveryenabled no')
)
| project
TimeGenerated,
DvcHostname,
DvcIpAddr,
DvcDomain,
TargetUsername,
TargetUsernameType,
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')
queryPeriod: 1h
triggerOperator: gt
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml
status: Available
description: |
This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.
https://attack.mitre.org/techniques/T1490/
name: Detect Malicious Usage of Recovery Tools to Delete Backup Files
kind: Scheduled
queryFrequency: 1h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/259de2c1-c546-4c6d-a17c-df639722f4d7')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/259de2c1-c546-4c6d-a17c-df639722f4d7')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files.",
"alertDisplayNameFormat": "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}"
},
"alertRuleTemplateName": "259de2c1-c546-4c6d-a17c-df639722f4d7",
"customDetails": null,
"description": "This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.\nhttps://attack.mitre.org/techniques/T1490/\n",
"displayName": "Detect Malicious Usage of Recovery Tools to Delete Backup Files",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DvcHostname",
"identifier": "HostName"
},
{
"columnName": "DvcDomain",
"identifier": "DnsDomain"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DvcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Username",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "TargetProcessId",
"identifier": "ProcessId"
},
{
"columnName": "CommandLine",
"identifier": "CommandLine"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml",
"query": "_ASim_ProcessEvent\n| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')\n| where CommandLine has_all ('delete', 'shadow')\n| union isfuzzy=True \n (_ASim_ProcessEvent\n | where TargetProcessFilename =~ 'bcedit.exe'\n | where CommandLine has_all ('/set', 'recoveryenabled no')\n )\n| project\n TimeGenerated,\n DvcHostname,\n DvcIpAddr,\n DvcDomain,\n TargetUsername,\n TargetUsernameType,\n TargetProcessName,\n TargetProcessId,\n CommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[1]), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[0]), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"tags": [
{
"Schema": "_ASim_ProcessEvent",
"SchemaVersion": "0.1.4"
}
],
"techniques": [
"T1490"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}