cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

detection of deletion of shadow

Jump to solution

Does McAfee provide detection for attempted deletion of shadow copies? If not, is there a method whereby the admin can add them?

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: detection of deletion of shadow

Jump to solution

I just mean blocking on this rule.  If you don't have blocking, you'll get a TON of alerts each time.  So I would suggest for testing at the bottom replace "**" with "version.dll" or something like that.  In short, this just stops these processes from loading any DLLs, so they execute but fail to do anything because they don't have needed modules to go.  If you have ** without blocking, you'll see every DLL loaded by them. 

Good call on the PowerShell.  So two things.  1) I might suggest talking to McAfee about getting this in AMSI.  They may object, but I think it would be good to push it.  I can't imagine there are many legitimate reasons people would be doing this.   2) This rule now includes that if it is command-line based.  

Rule {
Process {

Include AggregateMatch {
Include OBJECT_NAME { -v "vssadmin.exe" }
Include PROCESS_CMD_LINE {
-v "*delete*"
}
}

Include AggregateMatch {
Include OBJECT_NAME { -v "wmic.exe" }
Include PROCESS_CMD_LINE {
-v "*shadowcopy*"

}
}

Include AggregateMatch {
Include OBJECT_NAME { -v "powershell.exe" }
Include PROCESS_CMD_LINE {
-v "*win32_shadowcopy*"

}
}

}

Target {
Match SECTION {
Include OBJECT_NAME { -v "**" }
Include -access "CREATE"
}
}
}

 

 

OR you could make it a bit more efficient and do this, assuming it doesn't give any false positives.

 

Rule {
Process {

Include AggregateMatch {
Include OBJECT_NAME { -v "vssadmin.exe" }
Include PROCESS_CMD_LINE {
-v "*delete*"
}
}

Include AggregateMatch {
Include OBJECT_NAME {
-v "wmic.exe"
-v "powershell.exe"
}
Include PROCESS_CMD_LINE {
-v "*shadowcopy*"

}
}
}

Target {
Match SECTION {
Include OBJECT_NAME { -v "**" }
Include -access "CREATE"
}
}
}

View solution in original post

6 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: detection of deletion of shadow

Jump to solution

If you enable blocking, this will stop it in ENS:

 

Rule {
Process {

Include AggregateMatch {
Include OBJECT_NAME { -v "vssadmin.exe" }
Include PROCESS_CMD_LINE {
-v "*delete*"
}
}

Include AggregateMatch {
Include OBJECT_NAME { -v "wmic.exe" }
Include PROCESS_CMD_LINE {
-v "*shadowcopy*"

}
}
}

Target {
Match SECTION {
Include OBJECT_NAME { -v "**" }
Include -access "CREATE"
}
}
}

Highlighted

Re: detection of deletion of shadow

Jump to solution

Thanks for the quick reply.  Query :  You say " If you enable blocking..." - is that blocking for this specific check or does it have to be a general enable blocking?

Also, how about the Powershell attack:

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_Delete} 

OR

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete()} 

 

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: detection of deletion of shadow

Jump to solution

I just mean blocking on this rule.  If you don't have blocking, you'll get a TON of alerts each time.  So I would suggest for testing at the bottom replace "**" with "version.dll" or something like that.  In short, this just stops these processes from loading any DLLs, so they execute but fail to do anything because they don't have needed modules to go.  If you have ** without blocking, you'll see every DLL loaded by them. 

Good call on the PowerShell.  So two things.  1) I might suggest talking to McAfee about getting this in AMSI.  They may object, but I think it would be good to push it.  I can't imagine there are many legitimate reasons people would be doing this.   2) This rule now includes that if it is command-line based.  

Rule {
Process {

Include AggregateMatch {
Include OBJECT_NAME { -v "vssadmin.exe" }
Include PROCESS_CMD_LINE {
-v "*delete*"
}
}

Include AggregateMatch {
Include OBJECT_NAME { -v "wmic.exe" }
Include PROCESS_CMD_LINE {
-v "*shadowcopy*"

}
}

Include AggregateMatch {
Include OBJECT_NAME { -v "powershell.exe" }
Include PROCESS_CMD_LINE {
-v "*win32_shadowcopy*"

}
}

}

Target {
Match SECTION {
Include OBJECT_NAME { -v "**" }
Include -access "CREATE"
}
}
}

 

 

OR you could make it a bit more efficient and do this, assuming it doesn't give any false positives.

 

Rule {
Process {

Include AggregateMatch {
Include OBJECT_NAME { -v "vssadmin.exe" }
Include PROCESS_CMD_LINE {
-v "*delete*"
}
}

Include AggregateMatch {
Include OBJECT_NAME {
-v "wmic.exe"
-v "powershell.exe"
}
Include PROCESS_CMD_LINE {
-v "*shadowcopy*"

}
}
}

Target {
Match SECTION {
Include OBJECT_NAME { -v "**" }
Include -access "CREATE"
}
}
}

View solution in original post

Highlighted

Re: detection of deletion of shadow

Jump to solution

Is there any method whereby we could add it in without having to wake McAfee up?

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: detection of deletion of shadow

Jump to solution

For the rule I provided, it is an Expert Rule, so it just goes in Exploit Prevention and click Add, choose Process as the type and set severity to high.  Then choose Report/Block and drop it in.  For AMSI, that has to go through support, unfortunately.  Make sure it is routed to Labs and/or the content team.  

Dave

Highlighted

Re: detection of deletion of shadow

Jump to solution

Thanks Dave.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community