Introduction
Ransomware attacks continue to pose a significant threat to individuals and organizations alike. A key beginning stage of some ransomware attacks is to delete Volume Shadow Copies, a feature in Windows that allows users to restore individual files or an entire file system to a previous state. In this blog post, we will both monitor and respond to files which try to delete Volume Shadow Copies using LimaCharlie.
Detecting the Deletion of Volume Shadow Copies with Limacharlie
By using the shell command in our Sliver session, we can spawn a shell, allowing us to run commands on the Windows server.
A simple command that accomplishes the deletion of Volume Shadow Copies is: vssadmin delete shadows /all. Since this is a fresh Windows server, there will be no Volume Shadow Copies.
Let’s see if we LimaCharlie has detected anything. Heading over to the detections tab, we find it has indeed detected it!
Utilizing Reference URLs and YARA Signatures
Within the metadata of the detection, there are some references that highlight what the thing detected does and the dangers of it. By leveraging these resources, organizations can enhance their detection capabilities.
Crafting a Detection and Response (D&R) Rule
Viewing the event timeline, we can see the raw event that generated this detection.
Clicking the “Build D&R Rule” button in the top right, we can save ourselves time writing the detect rule in our D&R, as LimaCharlie automatically fills this in for us.
The Respond section is where we will tell LimaCharlie to block the process. The “action: report” section sends a report to the “Detections” tab. The “action: task” section is what is responsible for killing the parent process by using deny_tree for the vssadmin delete shadows /all command.
Testing the Detection and Response Rule
To validate the effectiveness of the detection and response rule, we ran the vssadmin delete shadows /all command again in our sliver C2 shell. Although it initially seemed that the response rule did not trigger, we discovered that our system shell had hung after executing a subsequent command. This indicated the successful prevention of the malicious action.
Conclusion
In this blog post, we explored the importance of monitoring and responding to the deletion of Volume Shadow Copies as a defense against ransomware attacks. Using LimaCharlie, we detected the deletion of Volume Shadow Copies, located valuable resources to enhance our detection capabilities, crafted a robust Detection and Response (D&R) rule, and tested its effectiveness.
No responses yet