search

ManderVoronwe / soc-g3

1 stars 0 forks source link

Suppression de Volume Shadow Copy #3

Open tidalwaave opened 11 months ago

tidalwaave commented 11 months ago

Splunk Query

| tstats allow_old_summaries=true count, values("Processes.process") AS process, values("Processes.parent_process") AS parent_process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=vssadmin.exe OR "Processes.process_name"=wmic.exe) "Processes.process"=*delete* "Processes.process"=*shadow*) BY "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Alert Priority :

HIGH

tidalwaave commented 11 months ago 

((EventCode="4688" OR EventCode="1")
 (CommandLine="*vssadmin* *delete* *shadows*" 
 OR CommandLine="*wmic* *shadowcopy* *delete*" 
 OR CommandLine="*vssadmin* *resize* *shadowstorage*")) 
 OR (EventCode="5857" ProviderName="MSVSS__PROVIDER") 
 OR (EventCode="5858" Operation="*Win32_ShadowCopy*")

https://car.mitre.org/analytics/CAR-2021-01-009/

tidalwaave commented 11 months ago 
index=* ((EventCode="4688" OR EventCode="1")
 (CommandLine="*vssadmin* *delete* *shadows*" 
 OR CommandLine="*wmic* *shadowcopy* *delete*" 
 OR CommandLine="*vssadmin* *resize* *shadowstorage*")) 
 OR (EventCode="5857" ProviderName="MSVSS__PROVIDER") 
 OR (EventCode="5858" Operation="*Win32_ShadowCopy*")
tidalwaave commented 11 months ago 
index=* ((EventCode="4688" OR EventCode="1")
 (CommandLine="*vssadmin* *delete* *shadows*" 
 OR CommandLine="*wmic* *shadowcopy* *delete*" 
 OR CommandLine="*vssadmin* *resize* *shadowstorage*"))
tidalwaave commented 11 months ago

Manual Volume Shadow Copy Deletion