Name:Windows WMIC Shadowcopy Delete id:0a8c4b26-a4e2-4ef1-b0d9-62af6d36bdc8 version:1 date:2025-03-18 author:Michael Haag, AJ King, Splunk status:production type:Anomaly Description:This analytic detects the use of WMIC to delete volume shadow copies, which is a common technique used by ransomware actors to prevent system recovery. Ransomware like Cactus often delete shadow copies before encrypting files to ensure victims cannot recover their data without paying the ransom. This behavior is particularly concerning as it indicates potential ransomware activity or malicious actors attempting to prevent system recovery. Data_source:
-Sysmon EventID 1
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe Processes.process = "*shadowcopy*" Processes.process = "*delete*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmic_shadowcopy_delete_filter`
how_to_implement:This detection requires Sysmon logging with Event ID 1 (Process Create) enabled. The logs must be processed using the appropriate Splunk Technology Add-ons and mapped to the Endpoint.Processes data model. Ensure that command-line arguments are being logged and that the appropriate permissions are in place to capture this data. known_false_positives:Legitimate system maintenance or backup operations may occasionally delete shadow copies. However, this activity should be rare and typically performed through approved administrative tools rather than direct WMIC commands. Tune and modify the search to fit your environment, enable as TTP. References: -https://any.run/malware-trends/cactus -https://attack.mitre.org/techniques/T1490/ drilldown_searches: name:'View the detection results for - "$dest$" and "$process_name$"' search:'%original_detection_search% | search dest = "$dest$" process_name = "$process_name$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$" and "$process_name$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$process_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Cactus Ransomware' - 'Volt Typhoon' - 'Suspicious WMI Use' asset_type:Endpoint mitre_attack_id: - 'T1490' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
