The hypothesis is that the detected activity indicates an adversary is attempting to destroy volume shadow copies or clean free space to prevent data recovery after encryption, which is a common behavior in ransomware attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential ransomware activity before significant data loss occurs.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName =~ 'vssadmin.exe' and ProcessCommandLine has "delete shadows" and ProcessCommandLine has "/all" and ProcessCommandLine has "/quiet" ) // Clearing shadow copies
or (FileName =~ "WMIC.exe" and ProcessCommandLine has "shadowcopy delete") // WMIC to delete shadow copies
or (FileName =~ 'cipher.exe' and ProcessCommandLine contains "/w") // Wiping drive free space
or (FileName =~ 'schtasks.exe' and ProcessCommandLine has "/change" and ProcessCommandLine has @"\Microsoft\Windows\SystemRestore\SR" and ProcessCommandLine has "/disable") // Disabling system restore task
or (FileName =~ 'fsutil.exe' and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal" and ProcessCommandLine has "/d") // Deleting USN journal
or (FileName =~ 'icacls.exe' and ProcessCommandLine has @'"C:\*"' and ProcessCommandLine contains '/grant Everyone:F') // Attempts to re-ACL all files on the C drive to give everyone full control
or (FileName =~ 'powershell.exe' and (
ProcessCommandLine matches regex @'\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s+' and replace(@'\x00','', base64_decode_tostring(extract("[A-Za-z0-9+/]{50,}[=]{0,2}",0 , ProcessCommandLine))) matches regex @".*(Win32_Shadowcopy).*(.Delete\(\)).*"
) or ProcessCommandLine matches regex @".*(Win32_Shadowcopy).*(.Delete\(\)).*"
) // This query looks for PowerShell-based commands used to delete shadow copies
id: d1b322ed-87bf-491a-9bfe-2f19d84359ed
name: Possible Ransomware Related Destruction Activity
description: |
This query identifies common processes run by ransomware
malware to destroy volume shadow copies or clean free
space on a drive to prevent a file from being recovered
post-encryption. To reduce false positives, results are
filtered to only actions taken when the initiating
process was launched from a suspicious directory. If
you don't mind false positives, consider removing the
last where clause.
Special thanks to Captain for additional inputs
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Impact
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName =~ 'vssadmin.exe' and ProcessCommandLine has "delete shadows" and ProcessCommandLine has "/all" and ProcessCommandLine has "/quiet" ) // Clearing shadow copies
or (FileName =~ "WMIC.exe" and ProcessCommandLine has "shadowcopy delete") // WMIC to delete shadow copies
or (FileName =~ 'cipher.exe' and ProcessCommandLine contains "/w") // Wiping drive free space
or (FileName =~ 'schtasks.exe' and ProcessCommandLine has "/change" and ProcessCommandLine has @"\Microsoft\Windows\SystemRestore\SR" and ProcessCommandLine has "/disable") // Disabling system restore task
or (FileName =~ 'fsutil.exe' and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal" and ProcessCommandLine has "/d") // Deleting USN journal
or (FileName =~ 'icacls.exe' and ProcessCommandLine has @'"C:\*"' and ProcessCommandLine contains '/grant Everyone:F') // Attempts to re-ACL all files on the C drive to give everyone full control
or (FileName =~ 'powershell.exe' and (
ProcessCommandLine matches regex @'\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s+' and replace(@'\x00','', base64_decode_tostring(extract("[A-Za-z0-9+/]{50,}[=]{0,2}",0 , ProcessCommandLine))) matches regex @".*(Win32_Shadowcopy).*(.Delete\(\)).*"
) or ProcessCommandLine matches regex @".*(Win32_Shadowcopy).*(.Delete\(\)).*"
) // This query looks for PowerShell-based commands used to delete shadow copies
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task Cleaning Free Space
Description: A legitimate system maintenance task, such as cleanmgr.exe (Disk Cleanup), may be executed to free up disk space, which could be mistaken for ransomware activity.
Filter/Exclusion: Exclude processes associated with cleanmgr.exe or tasks scheduled via Task Scheduler with known maintenance purposes.
Scenario: Volume Shadow Copy Cleanup by Windows Backup Service
Description: The Windows Backup service may run vssadmin.exe to clean up old volume shadow copies, which is a normal part of system maintenance.
Filter/Exclusion: Exclude processes initiated by the BackupAndRestore service or tasks related to vssadmin.exe with the delete shadows command.
Scenario: Admin Task to Remove Unneeded Shadow Copies
Description: A system administrator may manually remove unused volume shadow copies using vssadmin.exe as part of routine system optimization.
Filter/Exclusion: Exclude processes initiated by user accounts with administrative privileges and where the command line includes delete shadows or similar commands.
Scenario: Antivirus or Endpoint Protection Scan
Description: Some antivirus or endpoint protection tools may perform disk scans that temporarily clear free space or modify shadow copies as part of their scanning process.
Filter/Exclusion: Exclude processes associated with known antivirus vendors (e.g., MsMpEng.exe for Microsoft Defender, avgnt.exe for Avast) or their related services.
Scenario: Disk Defragmentation Task
Description: The Windows Disk Defragmentation service may run defrag.exe which can temporarily modify free space and shadow copies during optimization.
Filter/Exclusion: Exclude processes initiated by the Defrag service or tasks scheduled via Task Scheduler with the defrag.exe command.