Microsoft Defender Alert Details
Alert ID: MD-INHIBIT-RECOVERY-1490-7842 Alert Time: 2024-03-04 09:30:15 EST Severity: CRITICAL (98/100) Source: Microsoft Defender for Endpoint Rule: “Shadow Copy Deletion Detected – Ransomware Precursor” MITRE ATT&CK: T1490 – Inhibit System Recovery
Alert Details:
Detection: Attempt to delete Volume Shadow Copies (system backups) on multiple hosts
Hosts Affected: 12 workstations (Finance, Engineering, HR) Time: 09:15-09:30 EST
Commands Executed (from process creation events):
09:15:22 – vssadmin delete shadows /all /quiet
09:16:45 – wmic shadowcopy delete
09:18:12 – bcdedit /set {default} recoveryenabled No
09:19:33 – bcdedit /set {default} bootstatuspolicy ignoreallfailures
09:20:55 – diskshadow.exe -s C:\Windows\Temp\diskshadow.txt
09:22:18 – wbadmin delete catalog -quiet
09:23:40 – reg add “HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup” /v 1 /t REG_MULTI_SZ /d “C:\*” /f
Diskshadow.txt content:
delete shadows all
reset
Detection Logic:
Multiple backup deletion commands executed in sequence
Commands target Volume Shadow Copies (VSS)
Boot configuration modified to disable recovery
Windows Backup catalog deleted
Registry modified to exclude files from backup
Pattern matches ransomware preparation (inhibit recovery)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alerts
Microsoft 365 Defender
Confirmed shadow copy deletion across 12 hosts
2. Process Investigation
Identify source of commands
CrowdStrike Falcon
PsExec executed from compromised admin workstation
3. Scope Assessment
Determine affected hosts
SCCM, AD
12 workstations identified
4. Immediate Action
Isolate all affected hosts
CrowdStrike
All 12 hosts quarantined
5. Recovery Attempt
Restore shadow copies
vssadmin, PowerShell
No shadow copies remaining (deleted)
6. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-166 Summary: T1490 – Shadow Copies Deleted on 12 Workstations (Ransomware Prep) Status: RESOLVED Resolution: MALICIOUS – Recovery Inhibited, Hosts Isolated Priority: P1 – CRITICAL Labels: T1490, inhibit-recovery, shadow-copy, ransomware, defender, compromised-admin Components: Endpoint-Security, Backup-Recovery
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Shadow Copy Deletion Detected – Ransomware Precursor”.
Hosts: 12 workstations across multiple departments.
Actions: Volume Shadow Copies deleted, boot recovery disabled.
Time: 2024-03-04 09:30 EST.
Technique: MITRE ATT&CK T1490 – Inhibit System Recovery.
2. Technical Analysis:
Attack Chain:
08:30 – Domain admin account (jsmith) compromised via phishing
08:45 – Attacker logs into admin workstation via RDP
08:50 – Attacker uses PsExec to push script to 12 workstations
09:15-09:30 – Commands executed on all 12 hosts
09:30 – Defender alerts
Commands Executed (on each host):
Deleted Volume Shadow Copies (vssadmin, wmic, diskshadow)
Disabled boot recovery (bcdedit)
Deleted Windows Backup catalog (wbadmin)
Modified registry to exclude files from backup
Attacker Intent:
Prevent system recovery via shadow copies
Prepare for ransomware deployment
Ensure maximum impact (no quick recovery)
Compromised Admin Account:
Username: jsmith (Domain Admin)
Compromise Method: Phishing email with malicious link
MFA: Not enabled (now enforced)
3. Investigation Findings:
Timeline:
08:30 – Admin account compromised
08:45 – Attacker logs in
08:50 – PsExec used to distribute script
09:15-09:30 – Commands executed
09:30 – Defender alerts
09:32 – SOC investigates
09:35 – All 12 hosts isolated
09:40 – Admin account disabled
Indicators of Compromise (IoCs):
Commands:
– vssadmin delete shadows /all /quiet
– wmic shadowcopy delete
– bcdedit /set {default} recoveryenabled No
– bcdedit /set {default} bootstatuspolicy ignoreallfailures
– diskshadow.exe -s C:\Windows\Temp\diskshadow.txt
– wbadmin delete catalog -quiet
– reg add “HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup” …
Account:
– jsmith (compromised domain admin)
4. Containment Actions:
Immediate Actions:
Isolated all 12 affected hosts via CrowdStrike.
Disabled jsmith account.
Reset domain admin password.
Blocked attacker IP at firewall.
Recovery Actions:
Verified shadow copies are permanently deleted (no recovery possible).
Initiated reimaging of all 12 workstations from clean images.
Restored user data from network backups (unaffected).
Prevention:
No ransomware was deployed (detected before execution).
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had broad access to workstations.
No alerting on shadow copy deletion (until Defender).
6. Business Impact:
Operational Impact: 12 workstations offline for 4 hours (reimaging).
Data Exposure: No data stolen; local shadow copies lost.
Recovery Impact: Workstations restored from network backups (slower).
7. Remediation & Prevention:
Completed Actions:
Hosts isolated.
Admin account secured.
Shadow copy monitoring enhanced.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Moved admin access behind VPN only.
Created alert for shadow copy deletion.
Implemented endpoint detection for recovery inhibition.
8. Conclusion:
An attacker compromised a domain admin account and systematically deleted Volume Shadow Copies on 12 workstations, preparing for potential ransomware deployment. Defender detected the activity, enabling isolation before ransomware could execute. No data was lost from network backups, but local recovery options were eliminated.
Closure Rationale: Recovery inhibited; hosts isolated; account secured; no ransomware executed.
Analyst: [Your Name], SOC Analyst Date: 2024-03-04 10:30 EST