security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9fd375c13023bfa9983e5af0162c1dea6dfdba21
blue-team-tools/rules/windows/sysmon/sysmon_vssadmin_delete.yml
T
Michael Haag c5f05dd829 bitsadmin & VSSAdmin 
+Bitsadmin download
+VSSAdmin delete
2017-03-08 22:49:35 -08:00

19 lines
546 B
YAML
Raw Blame History

title: vssadmin delete shadow copies
status: experimental
description: Detects malicious usage of vssadmin deleting volume shadows
reference: https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
author: Michael Haag
logsource:
product: sysmon
detection:
selection:
EventID: 1
Image:
- '*\vssadmin.exe'
CommandLine:
- 'Delete Shadows /All /Quiet'
condition: selection
falsepositives:
- Some legitimate apps use this, but limited.
level: medium
Reference in New Issue View Git Blame Copy Permalink