GitHub Repo

Atomic Red Team

Date: 2020-11-09 ID: cc9b261e-efc9-11eb-926b-550bf0943fbb Author: Patrick Bareiss Environment: attack_range Directory: atomic_red_team

Description

Atomic Test Results: Successful Execution of test T1490-1 Windows - Delete Volume Shadow Copies Successful Execution of test T1490-2 Windows - Delete Volume Shadow Copies via WMI Return value unclear for test T1490-3 Windows - Delete Windows Backup Catalog Successful Execution of test T1490-4 Windows - Disable Windows Recovery Console Repair Return value unclear for test T1490-5 Windows - Delete Volume Shadow Copies via WMI with PowerShell Successful Execution of test T1490-6 Windows - Delete Backup Files

MITRE ATT&CK Techniques

ID Technique Tactic
T1490 Inhibit System Recovery Impact

Environment Details

Field Value
Environment attack_range
Directory atomic_red_team
Test Date 2020-11-09

Datasets

The following datasets were collected during this attack simulation:

Windows-Sysmon

  • Path: /datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log
  • Sourcetype: XmlWinEventLog
  • Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

4688_xml_windows_security_delete_shadow

  • Path: /datasets/attack_techniques/T1490/atomic_red_team/4688_xml_windows_security_delete_shadow.log
  • Sourcetype: XmlWinEventLog
  • Source: XmlWinEventLog:Security

The following detections in our security content repository use this attack data for testing:

Detection Name Type Source MITRE ATT&CK Analytic Story
Deleting Shadow Copies TTP Endpoint T1490 Rhysida Ransomware, Prestige Ransomware, CISA AA22-264A, LockBit Ransomware, SamSam Ransomware, Chaos Ransomware, Black Basta Ransomware, DarkGate Malware, Ransomware, Windows Log Manipulation, Compromised Windows Host, Clop Ransomware, Cactus Ransomware, Medusa Ransomware, VanHelsing Ransomware, Termite Ransomware, Storm-2460 CLFS Zero Day Exploitation
WBAdmin Delete System Backups TTP Endpoint T1490 Ryuk Ransomware, Ransomware, Prestige Ransomware, Chaos Ransomware, Storm-2460 CLFS Zero Day Exploitation
BCDEdit Failure Recovery Modification TTP Endpoint T1490 Ransomware, Compromised Windows Host, Ryuk Ransomware, Storm-2460 CLFS Zero Day Exploitation

Usage Instructions

Replay with Splunk Attack Data

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log --index attack_data

Manual Import

  1. Download the dataset files from the paths listed above
  2. Configure your Splunk instance with the appropriate sourcetypes
  3. Import the logs using the Splunk Add Data wizard

Related Content

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0