File tree Expand file tree Collapse file tree 2 files changed +7
-2
lines changed
datasets/attack_techniques/T1490/shadowcopy_del Expand file tree Collapse file tree 2 files changed +7
-2
lines changed Original file line number Diff line number Diff line change 11author : Bhavin Patel
22id : cc9b261f-efc9-11eb-926b-550bf0943fbb
3- date : ' 2020-11-09 '
3+ date : ' 2025-03-18 '
44description : This technique was seen in darkside ransomware where it will execute
55 a child process powershell to execute an hex encoded command to delete shadow copy.
6- This hex encoded command was able to decrypt by powershell log.
6+ This hex encoded command was able to decrypt by powershell log. WMIC shadowcopy delete behavior.
77environment : attack_range
88dataset :
99- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/shadowcopy_del/windows-powershell.log
10+ - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/shadowcopy_del/wmicshadowcopydelete_sysmon.log
1011sourcetypes :
1112- WinEventLog:Microsoft-Windows-PowerShell/Operational
1213- wineventlog
14+ - XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
1315references :
1416- https://attack.mitre.org/techniques/T1490/
Original file line number Diff line number Diff line change 1+ version https://git-lfs.github.com/spec/v1
2+ oid sha256:94d79d186a94c50f924c4ef22c36ce091b8fcefb3375779b7d64d231c520498f
3+ size 3905
You can’t perform that action at this time.
0 commit comments