Home/Sigma rules
Sigma

Sigma detection rules

23 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

23 shown of 23
high
All Backups Deleted Via Wbadmin.EXE
Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
status test author frack113, Nasreddine Bencherchali (Nextron Systems) id 639c9081-f482-47d3-a0bd-ddee3d4ecd76
view Sigma YAML 
title: All Backups Deleted Via Wbadmin.EXE
id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76
related:
    - id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
      type: derived
status: test
description: |
    Detects the deletion of all backups or system state backups via "wbadmin.exe".
    This technique is used by numerous ransomware families and actors.
    This may only be successful on server platforms that have Windows Backup enabled.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
    - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
    - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-13
modified: 2024-05-10
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wbadmin.exe'
        - OriginalFileName: 'WBADMIN.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'delete'
            - 'backup' # Also covers "SYSTEMSTATEBACKUP"
        CommandLine|contains: 'keepVersions:0'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Boot Configuration Tampering Via Bcdedit.EXE
Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
status stable author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community id 1444443e-6757-43e4-9ea4-c8fc705f79a2
view Sigma YAML 
title: Boot Configuration Tampering Via Bcdedit.EXE
id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
status: stable
description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md
    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2023-02-15
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bcdedit.exe'
        - OriginalFileName: 'bcdedit.exe'
    selection_set:
        CommandLine|contains: 'set'
    selection_cli:
        - CommandLine|contains|all:
              - 'bootstatuspolicy'
              - 'ignoreallfailures'
        - CommandLine|contains|all:
              - 'recoveryenabled'
              - 'no'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
simulation:
    - type: atomic-red-team
      name: Windows - Disable Windows Recovery Console Repair
      technique: T1490
      atomic_guid: cf21060a-80b3-4238-a595-22525de4ab81
high
Copy From VolumeShadowCopy Via Cmd.EXE
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
status test author Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) id c73124a7-3e89-44a3-bdc1-25fe4df754b1
view Sigma YAML 
title: Copy From VolumeShadowCopy Via Cmd.EXE
id: c73124a7-3e89-44a3-bdc1-25fe4df754b1
status: test
description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
references:
    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
    - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2023-03-07
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\
        # There is an additional "\" to escape the special "?"
        CommandLine|contains|all:
            - 'copy '
            - '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
    condition: selection
falsepositives:
    - Backup scenarios using the commandline
level: high
high
Delete Volume Shadow Copies Via WMI With PowerShell
Shadow Copies deletion using operating systems utilities via PowerShell
status stable author frack113 id 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
view Sigma YAML 
title: Delete Volume Shadow Copies Via WMI With PowerShell
id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
status: stable
description: Shadow Copies deletion using operating systems utilities via PowerShell
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md
    - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
author: frack113
date: 2021-06-03
modified: 2023-10-27
tags:
    - attack.impact
    - attack.t1490
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains|all:
            - 'Get-WmiObject'
            - 'Win32_ShadowCopy'
        Data|contains:
            - 'Delete()'
            - 'Remove-WmiObject'
    condition: selection
falsepositives:
    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
level: high
high
Deletion of Volume Shadow Copies via WMI with PowerShell
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
status test author Tim Rauch, Elastic (idea) id 21ff4ca9-f13a-41ad-b828-0077b2af2e40
view Sigma YAML 
title: Deletion of Volume Shadow Copies via WMI with PowerShell
id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40
related:
    - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
      type: derived
    - id: c1337eb8-921a-4b59-855b-4ba188ddcc42
      type: similar
status: test
description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
    - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-20
modified: 2022-12-30
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_get:
        CommandLine|contains:
            - 'Get-WmiObject'
            - 'gwmi'
            - 'Get-CimInstance'
            - 'gcim'
    selection_shadowcopy:
        CommandLine|contains: 'Win32_ShadowCopy'
    selection_delete:
        CommandLine|contains:
            - '.Delete()'
            - 'Remove-WmiObject'
            - 'rwmi'
            - 'Remove-CimInstance'
            - 'rcim'
    condition: all of selection*
falsepositives:
    - Unknown
level: high
high
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
status test author Tim Rauch, frack113 id c1337eb8-921a-4b59-855b-4ba188ddcc42
view Sigma YAML 
title: Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
id: c1337eb8-921a-4b59-855b-4ba188ddcc42
related:
    - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
      type: derived
    - id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40
      type: similar
status: test
description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
    - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
author: Tim Rauch, frack113
date: 2022-09-20
modified: 2022-12-02
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: ps_script
    product: windows
detection:
    selection_get:
        ScriptBlockText|contains:
            - 'Get-WmiObject'
            - 'gwmi'
            - 'Get-CimInstance'
            - 'gcim'
    selection_shadowcopy:
        ScriptBlockText|contains: 'Win32_ShadowCopy'
    selection_delete:
        ScriptBlockText|contains:
            - '.Delete()'
            - 'Remove-WmiObject'
            - 'rwmi'
            - 'Remove-CimInstance'
            - 'rcim'
    condition: all of selection*
falsepositives:
    - Unknown
level: high
high
Registry Disable System Restore
Detects the modification of the registry to disable a system restore on the computer
status test author frack113 id 5de03871-5d46-4539-a82d-3aa992a69a83
view Sigma YAML 
title: Registry Disable System Restore
id: 5de03871-5d46-4539-a82d-3aa992a69a83
related:
    - id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
      type: similar
status: test
description: Detects the modification of the registry to disable a system restore on the computer
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Policies\Microsoft\Windows NT\SystemRestore'
            - '\Microsoft\Windows NT\CurrentVersion\SystemRestore'
        TargetObject|endswith:
            - DisableConfig
            - DisableSR
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml
simulation:
    - type: atomic-red-team
      name: Disable System Restore Through Registry
      technique: T1490
      atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
high
Sensitive File Access Via Volume Shadow Copy Backup
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
status test author Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) id f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
view Sigma YAML 
title: Sensitive File Access Via Volume Shadow Copy Backup
id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
status: test
description: |
    Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
references:
    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
    - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2024-01-18
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        # copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1
        # There is an additional "\" to escape the special "?"
        CommandLine|contains: '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
    selection_2:
        CommandLine|contains:
            - '\\NTDS.dit'
            - '\\SYSTEM'
            - '\\SECURITY'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
high
Shadow Copies Deletion Using Operating Systems Utilities
Shadow Copies deletion using operating systems utilities
status stable author Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) id c947b146-0abc-4c87-9c64-b17e9d7274a2
view Sigma YAML 
title: Shadow Copies Deletion Using Operating Systems Utilities
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
status: stable
description: Shadow Copies deletion using operating systems utilities
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://blog.talosintelligence.com/2017/05/wannacry.html
    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
    - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
    - https://github.com/Neo23x0/Raccine#the-process
    - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar
    - https://redcanary.com/blog/intelligence-insights-october-2021/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019-10-22
modified: 2022-11-03
tags:
    - attack.impact
    - attack.stealth
    - attack.t1070
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection1_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\wmic.exe'
              - '\vssadmin.exe'
              - '\diskshadow.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'wmic.exe'
              - 'VSSADMIN.EXE'
              - 'diskshadow.exe'
    selection1_cli:
        CommandLine|contains|all:
            - 'shadow'  # will match "delete shadows" and "shadowcopy delete" and "shadowstorage"
            - 'delete'
    selection2_img:
        - Image|endswith: '\wbadmin.exe'
        - OriginalFileName: 'WBADMIN.EXE'
    selection2_cli:
        CommandLine|contains|all:
            - 'delete'
            - 'catalog'
            - 'quiet' # will match -quiet or /quiet
    selection3_img:
        - Image|endswith: '\vssadmin.exe'
        - OriginalFileName: 'VSSADMIN.EXE'
    selection3_cli:
        CommandLine|contains|all:
            - 'resize'
            - 'shadowstorage'
        CommandLine|contains:
            - 'unbounded'
            - '/MaxSize='
    condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
falsepositives:
    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
    - LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)
level: high
high
Suspicious Volume Shadow Copy VSS_PS.dll Load
Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
status test author Markus Neis, @markus_neis id 333cdbe8-27bb-4246-bf82-b41a0dca4b70
view Sigma YAML 
title: Suspicious Volume Shadow Copy VSS_PS.dll Load
id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
related:
    - id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll
      type: similar
    - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll
      type: similar
status: test
description: |
    Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes.
    It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts.
    The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
references:
    - https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add
    - https://twitter.com/am0nsec/status/1412232114980982787
author: Markus Neis, @markus_neis
date: 2021-07-07
modified: 2025-07-11
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\vss_ps.dll'
    filter_main_legit:
        Image|startswith: 'C:\Windows\'
        Image|endswith:
            - '\clussvc.exe'
            - '\dismhost.exe'
            - '\dllhost.exe'
            - '\inetsrv\appcmd.exe'
            - '\inetsrv\iissetup.exe'
            - '\msiexec.exe'
            - '\rundll32.exe'
            - '\searchindexer.exe'
            - '\srtasks.exe'
            - '\svchost.exe'
            - '\System32\SystemPropertiesAdvanced.exe'
            - '\taskhostw.exe'
            - '\thor.exe'
            - '\thor64.exe'
            - '\tiworker.exe'
            - '\vssvc.exe'
            - '\vssadmin.exe'
            - '\WmiPrvSE.exe'
            - '\wsmprovhost.exe'
    filter_main_update:
        CommandLine|startswith: 'C:\$WinREAgent\Scratch\'
        CommandLine|contains: '\dismhost.exe {'
    filter_main_image_null:
        Image: null
    filter_optional_programfiles:
        # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
high
Suspicious Volume Shadow Copy Vssapi.dll Load
Detects the image load of VSS DLL by uncommon executables
status test author frack113 id 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8
view Sigma YAML 
title: Suspicious Volume Shadow Copy Vssapi.dll Load
id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8
related:
    - id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll
      type: similar
    - id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll
      type: similar
status: test
description: Detects the image load of VSS DLL by uncommon executables
references:
    - https://github.com/ORCx41/DeleteShadowCopies
author: frack113
date: 2022-10-31
modified: 2025-10-17
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\vssapi.dll'
    filter_main_windows:
        - Image:
              - 'C:\Windows\explorer.exe'
              - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
        - Image|startswith:
              - 'C:\Windows\System32\'
              - 'C:\Windows\SysWOW64\'
              - 'C:\Windows\Temp\{' # Installers
              - 'C:\Windows\WinSxS\'
    filter_main_program_files:
        # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_main_null_image:
        Image: null
    filter_optional_programdata_packagecache:
        # The following filter is required because of many FPs cause by:
        #   C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe
        #   C:\ProgramData\Package Cache\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\windowsdesktop-runtime-6.0.11-win-x86.exe
        #   C:\ProgramData\Package Cache\{50264ff2-ad47-4569-abc4-1c350f285fb9}\aspnetcore-runtime-6.0.11-win-x86.exe
        #   C:\ProgramData\Package Cache\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\dotnet-sdk-6.0.306-win-x64.exe
        #   etc.
        Image|startswith: 'C:\ProgramData\Package Cache\'
    filter_optional_avira:
        Image|contains|all:
            - '\temp\is-'
            - '\avira_system_speedup.tmp'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
high
System Restore Registry Modification via CommandLine
Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
view Sigma YAML 
title: System Restore Registry Modification via CommandLine
id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
related:
    - id: 5de03871-5d46-4539-a82d-3aa992a69a83
      type: similar
status: experimental
description: |
    Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-11
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_cli_action:
        CommandLine|contains:
            - ' add '
            - 'Set-ItemProperty'
            - 'New-ItemProperty'
    selection_cli_reg_root:
        CommandLine|contains:
            - '\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore'
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore'
    selection_cli_reg_key:
        CommandLine|contains:
            - 'DisableConfig'
            - 'DisableSR'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml
simulation:
    - type: atomic-red-team
      name: Disable System Restore Through Registry
      technique: T1490
      atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
medium
AWS S3 Bucket Versioning Disable
Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.
status test author Sean Johnstone | Unit 42 id a136ac98-b2bc-4189-a14d-f0d0388e57a7
view Sigma YAML 
title: AWS S3 Bucket Versioning Disable
id: a136ac98-b2bc-4189-a14d-f0d0388e57a7
status: test
description: Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.
references:
    - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82
author: Sean Johnstone | Unit 42
date: 2023-10-28
tags:
    - attack.impact
    - attack.t1490
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: s3.amazonaws.com
        eventName: PutBucketVersioning
        requestParameters|contains: 'Suspended'
    condition: selection
falsepositives:
    - AWS administrator legitimately disabling bucket versioning
level: medium
medium
Backup Files Deleted
Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
status test author frack113 id 06125661-3814-4e03-bfa2-1e4411c60ac3
view Sigma YAML 
title: Backup Files Deleted
id: 06125661-3814-4e03-bfa2-1e4411c60ac3
status: test
description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files
author: frack113
date: 2022-01-02
modified: 2023-02-15
tags:
    - attack.impact
    - attack.t1490
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wt.exe'
            - '\rundll32.exe'
            - '\regsvr32.exe'
        TargetFilename|endswith:
            - '.VHD'
            - '.bac'
            - '.bak'
            - '.wbcat'
            - '.bkf'
            - '.set'
            - '.win'
            - '.dsk'
    condition: selection
falsepositives:
    - Legitimate usage
level: medium
medium
Cisco Modify Configuration
Modifications to a config that will serve an adversary's impacts or persistence
status test author Austin Clark id 671ffc77-50a7-464f-9e3d-9ea2b493b26b
view Sigma YAML 
title: Cisco Modify Configuration
id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
status: test
description: Modifications to a config that will serve an adversary's impacts or persistence
author: Austin Clark
date: 2019-08-12
modified: 2025-04-28
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.impact
    - attack.t1490
    - attack.t1505
    - attack.t1565.002
    - attack.t1053
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'ip http server'
        - 'ip https server'
        - 'kron policy-list'
        - 'kron occurrence'
        - 'policy-list'
        - 'access-list'
        - 'ip access-group'
        - 'archive maximum'
        - 'ntp server'
    condition: keywords
falsepositives:
    - Legitimate administrators may run these commands
level: medium
medium
File Recovery From Backup Via Wbadmin.EXE
Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
status test author Nasreddine Bencherchali (Nextron Systems), frack113 id 6fe4aa1e-0531-4510-8be2-782154b73b48
view Sigma YAML 
title: File Recovery From Backup Via Wbadmin.EXE
id: 6fe4aa1e-0531-4510-8be2-782154b73b48
related:
    - id: 84972c80-251c-4c3a-9079-4f00aad93938
      type: derived
status: test
description: |
    Detects the recovery of files from backups via "wbadmin.exe".
    Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
    - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-10
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wbadmin.exe'
        - OriginalFileName: 'WBADMIN.EXE'
    selection_cli:
        CommandLine|contains|all:
            - ' recovery'
            - 'recoveryTarget'
            - 'itemtype:File'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
New File Exclusion Added To Time Machine Via Tmutil - MacOS
Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
status test author Pratinav Chandra id 9acf45ed-3a26-4062-bf08-56857613eb52
view Sigma YAML 
title: New File Exclusion Added To Time Machine Via Tmutil - MacOS
id: 9acf45ed-3a26-4062-bf08-56857613eb52
status: test
description: |
    Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
    An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
    - https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: macos
detection:
    selection_img:
        - Image|endswith: '/tmutil'
        - CommandLine|contains: 'tmutil'
    selection_cmd:
        CommandLine|contains: 'addexclusion'
    condition: all of selection_*
falsepositives:
    - Legitimate administrator activity
level: medium
medium
New Root or CA or AuthRoot Certificate to Store
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
status test author frack113 id d223b46b-5621-4037-88fe-fda32eead684
view Sigma YAML 
title: New Root or CA or AuthRoot Certificate to Store
id: d223b46b-5621-4037-88fe-fda32eead684
status: test
description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store
    - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\'
            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\'
            - '\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\'
            - '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\'
            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\'
            - '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\'
            - '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\'
            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\'
            - '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\'
        TargetObject|endswith: '\Blob'
        Details: 'Binary Data'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
Detects the image load of VSS DLL by uncommon executables
status test author frack113 id 48bfd177-7cf2-412b-ad77-baf923489e82
view Sigma YAML 
title: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
id: 48bfd177-7cf2-412b-ad77-baf923489e82
related:
    - id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll
      type: similar
    - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll
      type: similar
status: test
description: Detects the image load of VSS DLL by uncommon executables
references:
    - https://github.com/ORCx41/DeleteShadowCopies
author: frack113
date: 2023-02-17
modified: 2025-12-03
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\vsstrace.dll'
    filter_main_windows:
        - Image:
              - 'C:\Windows\explorer.exe'
              - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
        - Image|startswith:
              - 'C:\Windows\System32\'
              - 'C:\Windows\SysWOW64\'
              - 'C:\Windows\Temp\{' # Installers
              - 'C:\Windows\WinSxS\'
              - 'C:\ProgramData\Package Cache\{'  # Microsoft Visual Redistributable installer  VC_redist/vcredist EXE
    filter_main_program_files:
        # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_optional_recovery:
        Image|startswith: 'C:\$WinREAgent\Scratch\'
    filter_main_null_image:
        Image: null # Observed through Aurora
    filter_optional_avira:
        Image|contains|all:
            - '\temp\is-'
            - '\avira_system_speedup.tmp'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium
medium
Time Machine Backup Deletion Attempt Via Tmutil - MacOS
Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
status test author Pratinav Chandra id 452df256-da78-427a-866f-49fa04417d74
view Sigma YAML 
title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
id: 452df256-da78-427a-866f-49fa04417d74
status: test
description: |
    Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil".
    An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
    - https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: macos
detection:
    selection_img:
        - Image|endswith: '/tmutil'
        - CommandLine|contains: 'tmutil'
    selection_cmd:
        CommandLine|contains: 'delete'
    condition: all of selection_*
falsepositives:
    - Legitimate activities
level: medium
medium
Time Machine Backup Disabled Via Tmutil - MacOS
Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.
status test author Pratinav Chandra id 2c95fa8a-8b8d-4787-afce-7117ceb8e3da
view Sigma YAML 
title: Time Machine Backup Disabled Via Tmutil - MacOS
id: 2c95fa8a-8b8d-4787-afce-7117ceb8e3da
status: test
description: |
    Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
    An attacker can use this to prevent backups from occurring.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
    - https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: macos
detection:
    selection_img:
        - Image|endswith: '/tmutil'
        - CommandLine|contains: 'tmutil'
    selection_cmd:
        CommandLine|contains: 'disable'
    condition: all of selection_*
falsepositives:
    - Legitimate administrator activity
level: medium
medium
Windows Backup Deleted Via Wbadmin.EXE
Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
status test author frack113, Nasreddine Bencherchali (Nextron Systems) id 89f75308-5b1b-4390-b2d8-d6b2340efaf8
view Sigma YAML 
title: Windows Backup Deleted Via Wbadmin.EXE
id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
related:
    - id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76
      type: derived
status: test
description: |
    Detects the deletion of backups or system state backups via "wbadmin.exe".
    This technique is used by numerous ransomware families and actors.
    This may only be successful on server platforms that have Windows Backup enabled.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
    - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
    - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-13
modified: 2024-05-10
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wbadmin.exe'
        - OriginalFileName: 'WBADMIN.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'delete '
            - 'backup' # Also covers "SYSTEMSTATEBACKUP"
    filter_main_keep_versions:
        # Note: We exclude this to avoid duplicate alerts with 639c9081-f482-47d3-a0bd-ddee3d4ecd76
        CommandLine|contains: 'keepVersions:0'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Legitimate backup activity from administration scripts and software.
level: medium
medium
Windows Recovery Environment Disabled Via Reagentc
Detects attempts to disable windows recovery environment using Reagentc. ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
status experimental author Daniel Koifman (KoifSec), Michael Vilshin id db1c21e4-cd66-4b4e-85ca-590f0780529c
view Sigma YAML 
title: Windows Recovery Environment Disabled Via Reagentc
id: db1c21e4-cd66-4b4e-85ca-590f0780529c
status: experimental
description: |
    Detects attempts to disable windows recovery environment using Reagentc.
    ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).
    It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
references:
    - https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes
    - https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11
author: Daniel Koifman (KoifSec), Michael Vilshin
date: 2025-07-31
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:   # Example command simulated:  reagentc /disable
        - Image|endswith: '\reagentc.exe'
        - OriginalFileName: 'reagentc.exe'
    selection_cli:
        CommandLine|contains|windash: '/disable'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activity
level: medium
Showing 1-23 of 23
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin