cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ihoratos
Level 9
Report Inappropriate Content
Message 1 of 7
‎03-09-2020 01:31 PM

detection of deletion of shadow

Jump to solution

Does McAfee provide detection for attempted deletion of shadow copies? If not, is there a method whereby the admin can add them?

0 Kudos
Reply
1 Solution

Accepted Solutions
Daveb3d
MVP
Report Inappropriate Content
Message 4 of 7
‎03-11-2020 11:18 AM

Re: detection of deletion of shadow

Jump to solution

I just mean blocking on this rule.  If you don't have blocking, you'll get a TON of alerts each time.  So I would suggest for testing at the bottom replace "**" with "version.dll" or something like that.  In short, this just stops these processes from loading any DLLs, so they execute but fail to do anything because they don't have needed modules to go.  If you have ** without blocking, you'll see every DLL loaded by them. 

Good call on the PowerShell.  So two things.  1) I might suggest talking to McAfee about getting this in AMSI.  They may object, but I think it would be good to push it.  I can't imagine there are many legitimate reasons people would be doing this.   2) This rule now includes that if it is command-line based.  

Rule {
Process {

Include AggregateMatch {
Include OBJECT_NAME { -v "vssadmin.exe" }
Include PROCESS_CMD_LINE {
-v "*delete*"
}
}

Include AggregateMatch {
Include OBJECT_NAME { -v "wmic.exe" }
Include PROCESS_CMD_LINE {
-v "*shadowcopy*"

}
}

Include AggregateMatch {
Include OBJECT_NAME { -v "powershell.exe" }
Include PROCESS_CMD_LINE {
-v "*win32_shadowcopy*"

}
}

}

Target {
Match SECTION {
Include OBJECT_NAME { -v "**" }
Include -access "CREATE"
}
}
}

 

 

OR you could make it a bit more efficient and do this, assuming it doesn't give any false positives.

 

Rule {
Process {

Include AggregateMatch {
Include OBJECT_NAME { -v "vssadmin.exe" }
Include PROCESS_CMD_LINE {
-v "*delete*"
}
}

Include AggregateMatch {
Include OBJECT_NAME {
-v "wmic.exe"
-v "powershell.exe"
}
Include PROCESS_CMD_LINE {
-v "*shadowcopy*"

}
}
}

Target {
Match SECTION {
Include OBJECT_NAME { -v "**" }
Include -access "CREATE"
}
}
}

View solution in original post

Reply
6 Replies
Daveb3d
MVP
Report Inappropriate Content
Message 2 of 7
‎03-11-2020 10:59 AM

Re: detection of deletion of shadow

Jump to solution

If you enable blocking, this will stop it in ENS:

 

Rule {
Process {

Include AggregateMatch {
Include OBJECT_NAME { -v "vssadmin.exe" }
Include PROCESS_CMD_LINE {
-v "*delete*"
}
}

Include AggregateMatch {
Include OBJECT_NAME { -v "wmic.exe" }
Include PROCESS_CMD_LINE {
-v "*shadowcopy*"

}
}
}

Target {
Match SECTION {
Include OBJECT_NAME { -v "**" }
Include -access "CREATE"
}
}
}

Reply
ihoratos
Level 9
Report Inappropriate Content
Message 3 of 7
‎03-11-2020 11:10 AM

Re: detection of deletion of shadow

Jump to solution

Thanks for the quick reply.  Query :  You say " If you enable blocking..." - is that blocking for this specific check or does it have to be a general enable blocking?

Also, how about the Powershell attack:

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_Delete} 

OR

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete()} 

 

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 4 of 7
‎03-11-2020 11:18 AM

Re: detection of deletion of shadow

Jump to solution

I just mean blocking on this rule.  If you don't have blocking, you'll get a TON of alerts each time.  So I would suggest for testing at the bottom replace "**" with "version.dll" or something like that.  In short, this just stops these processes from loading any DLLs, so they execute but fail to do anything because they don't have needed modules to go.  If you have ** without blocking, you'll see every DLL loaded by them. 

Good call on the PowerShell.  So two things.  1) I might suggest talking to McAfee about getting this in AMSI.  They may object, but I think it would be good to push it.  I can't imagine there are many legitimate reasons people would be doing this.   2) This rule now includes that if it is command-line based.  

Rule {
Process {

Include AggregateMatch {
Include OBJECT_NAME { -v "vssadmin.exe" }
Include PROCESS_CMD_LINE {
-v "*delete*"
}
}

Include AggregateMatch {
Include OBJECT_NAME { -v "wmic.exe" }
Include PROCESS_CMD_LINE {
-v "*shadowcopy*"

}
}

Include AggregateMatch {
Include OBJECT_NAME { -v "powershell.exe" }
Include PROCESS_CMD_LINE {
-v "*win32_shadowcopy*"

}
}

}

Target {
Match SECTION {
Include OBJECT_NAME { -v "**" }
Include -access "CREATE"
}
}
}

 

 

OR you could make it a bit more efficient and do this, assuming it doesn't give any false positives.

 

Rule {
Process {

Include AggregateMatch {
Include OBJECT_NAME { -v "vssadmin.exe" }
Include PROCESS_CMD_LINE {
-v "*delete*"
}
}

Include AggregateMatch {
Include OBJECT_NAME {
-v "wmic.exe"
-v "powershell.exe"
}
Include PROCESS_CMD_LINE {
-v "*shadowcopy*"

}
}
}

Target {
Match SECTION {
Include OBJECT_NAME { -v "**" }
Include -access "CREATE"
}
}
}

Reply
ihoratos
Level 9
Report Inappropriate Content
Message 5 of 7
‎03-11-2020 11:22 AM

Re: detection of deletion of shadow

Jump to solution

Is there any method whereby we could add it in without having to wake McAfee up?

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 6 of 7
‎03-11-2020 11:25 AM

Re: detection of deletion of shadow

Jump to solution

For the rule I provided, it is an Expert Rule, so it just goes in Exploit Prevention and click Add, choose Process as the type and set severity to high.  Then choose Report/Block and drop it in.  For AMSI, that has to go through support, unfortunately.  Make sure it is routed to Labs and/or the content team.  

Dave

Reply
ihoratos
Level 9
Report Inappropriate Content
Message 7 of 7
‎03-11-2020 11:27 AM

Re: detection of deletion of shadow

Jump to solution

Thanks Dave.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC