From d5a8f41864aa492b75bc3d8f45f8d3d3f0ce79d7 Mon Sep 17 00:00:00 2001 From: Andrew Pease <7442091+peasead@users.noreply.github.com> Date: Mon, 4 Oct 2021 14:00:35 -0500 Subject: [PATCH] [Rule Tuning] Volume Shadow Copy Deletion or Resized via VssAdmin (#1524) * Updated rule to include resizing * lint Co-authored-by: Jonhnathan --- ...copy_deletion_or_resized_via_vssadmin.toml} | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) rename rules/windows/{impact_volume_shadow_copy_deletion_via_vssadmin.toml => impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml} (60%) diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml similarity index 60% rename from rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml rename to rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 252b4a7ad..33568d16f 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -1,19 +1,19 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/10/04" [rule] author = ["Elastic"] description = """ -Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or -other destructive attacks. +Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with +ransomware or other destructive attacks. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" -name = "Volume Shadow Copy Deletion via VssAdmin" +name = "Volume Shadow Copy Deleted or Resized via VssAdmin" risk_score = 73 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" severity = "high" @@ -22,22 +22,22 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and - (process.name : "vssadmin.exe" or process.pe.original_file_name == "VSSADMIN.EXE") and - process.args : "delete" and process.args : "shadows" +process where event.type in ("start", "process_started") and event.action == "start" + and (process.name : "vssadmin.exe" or process.pe.original_file_name == "VSSADMIN.EXE") and + process.args in ("delete", "resize") and process.args : "shadows*" ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1490" reference = "https://attack.mitre.org/techniques/T1490/" name = "Inhibit System Recovery" +id = "T1490" [rule.threat.tactic] -id = "TA0040" reference = "https://attack.mitre.org/tactics/TA0040/" name = "Impact" +id = "TA0040"