Which SIEM platforms have a T1486 detection rule?

df00tech provides T1486 (Data Encrypted for Impact) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1486 detection?

The T1486 detection is rated critical severity with high confidence.

What are common false positives for T1486?

Common false positives for T1486 include: Legitimate encryption tools (BitLocker, VeraCrypt, 7-Zip) encrypting large numbers of files during backup operations; File migration or archival tools that rename files with new extensions during processing; Anti-ransomware tools that create decoy/canary files with ransomware-like extensions for honeypot detection.

T1486

Data Encrypted for Impact

Q: What data sources are required to detect Data Encrypted for Impact (T1486)?

Detecting Data Encrypted for Impact requires the following data sources: File: File Modification, File: File Creation, Command: Command Execution, Process: Process Creation, Microsoft Defender for Endpoint.

Impact Last updated: April 13, 2026

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted and often renamed or tagged with specific file markers. Adversaries may also encrypt critical system files, disk partitions, MBR, virtual machines hosted on ESXi, or cloud storage objects.

What is T1486 Data Encrypted for Impact?

Data Encrypted for Impact (T1486) maps to the Impact tactic — the adversary is trying to manipulate, interrupt, or destroy your systems and data in MITRE ATT&CK.

This page provides production-ready detection logic for Data Encrypted for Impact, covering the data sources and telemetry it touches: File: File Modification, File: File Creation, Command: Command Execution, Process: Process Creation, Microsoft Defender for Endpoint. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Impact
Technique: T1486 Data Encrypted for Impact
Canonical reference: https://attack.mitre.org/techniques/T1486/

Microsoft Sentinel / Defender

kusto

let TimeWindow = 1h;
let RenameThreshold = 50;
let ShadowDeleteCommands = dynamic(["vssadmin delete shadows", "vssadmin.exe delete shadows", "wmic shadowcopy delete", "bcdedit /set {default} recoveryenabled no", "bcdedit /set {default} bootstatuspolicy ignoreallfailures", "wbadmin delete catalog", "wbadmin delete systemstatebackup"]);
// Detection 1: Mass file rename/encryption activity
let MassRename = DeviceFileEvents
| where Timestamp > ago(TimeWindow)
| where ActionType in ("FileRenamed", "FileModified", "FileCreated")
| where FileName endswith_any (".encrypted", ".locked", ".crypt", ".enc", ".ransom", ".cry", ".lock64", ".cuba", ".avos", ".avos2", ".play", ".blackbyte")
| summarize
    RenamedFiles = count(),
    UniqueExtensions = dcount(FileName),
    FileTypes = make_set(tostring(split(FileName, ".")[-1]), 10),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine
| where RenamedFiles > RenameThreshold;
// Detection 2: Shadow copy deletion and recovery sabotage
let ShadowDelete = DeviceProcessEvents
| where Timestamp > ago(TimeWindow)
| where ProcessCommandLine has_any (ShadowDeleteCommands)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName;
// Combine both signals
MassRename
| join kind=leftouter (ShadowDelete) on DeviceName
| extend ShadowsDeleted = isnotempty(ProcessCommandLine)
| extend RansomwareConfidence = case(
    RenamedFiles > 500 and ShadowsDeleted, "critical",
    RenamedFiles > 200 or ShadowsDeleted, "high",
    RenamedFiles > RenameThreshold, "medium",
    "low")
| project FirstSeen, LastSeen, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RenamedFiles, UniqueExtensions, FileTypes, ShadowsDeleted, RansomwareConfidence
| sort by RenamedFiles desc

Detects ransomware activity through two correlated signals: (1) mass file encryption indicated by high volumes of file renames to known ransomware extensions (.encrypted, .locked, .crypt, .lock64, .cuba, .avos, .play, .blackbyte), and (2) volume shadow copy deletion and recovery sabotage via vssadmin, wmic, bcdedit, and wbadmin. Correlates both signals on the same device for high-confidence ransomware detection. A combined signal (mass rename + shadow delete) is rated critical.

critical severity high confidence

Data Sources

File: File Modification File: File Creation Command: Command Execution Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate encryption tools (BitLocker, VeraCrypt, 7-Zip) encrypting large numbers of files during backup operations
File migration or archival tools that rename files with new extensions during processing
Anti-ransomware tools that create decoy/canary files with ransomware-like extensions for honeypot detection
Disaster recovery testing that involves intentional shadow copy deletion as part of DR exercises

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
  (EventCode=1 (CommandLine="*vssadmin*delete shadows*" OR CommandLine="*wmic*shadowcopy delete*" OR CommandLine="*bcdedit*/set*recoveryenabled*no*" OR CommandLine="*bcdedit*/set*bootstatuspolicy*ignoreallfailures*" OR CommandLine="*wbadmin delete catalog*" OR CommandLine="*wbadmin delete systemstatebackup*"))
  OR
  (EventCode=11 (TargetFilename="*.encrypted" OR TargetFilename="*.locked" OR TargetFilename="*.crypt" OR TargetFilename="*.enc" OR TargetFilename="*.ransom" OR TargetFilename="*.cry" OR TargetFilename="*.lock64" OR TargetFilename="*.cuba" OR TargetFilename="*.avos" OR TargetFilename="*.avos2" OR TargetFilename="*.play" OR TargetFilename="*.blackbyte"))
| eval EventType=case(
    EventCode=1, "ShadowDelete",
    EventCode=11, "FileEncrypted",
    1=1, "Unknown")
| eval ProcessName=coalesce(Image, "unknown")
| bin _time span=1h
| stats
    count(eval(EventType="FileEncrypted")) as EncryptedFiles,
    count(eval(EventType="ShadowDelete")) as ShadowDeletes,
    dc(TargetFilename) as UniqueFiles,
    values(CommandLine) as Commands,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by host, ProcessName, _time
| where EncryptedFiles > 50 OR ShadowDeletes > 0
| eval RansomwareConfidence=case(
    EncryptedFiles > 500 AND ShadowDeletes > 0, "critical",
    EncryptedFiles > 200 OR ShadowDeletes > 0, "high",
    EncryptedFiles > 50, "medium",
    1=1, "low")
| table FirstSeen, LastSeen, host, ProcessName, EncryptedFiles, ShadowDeletes, UniqueFiles, RansomwareConfidence, Commands
| sort - RansomwareConfidence, - EncryptedFiles

Detects ransomware execution by correlating Sysmon Event ID 11 (File Created) for known ransomware file extensions with Sysmon Event ID 1 (Process Creation) for shadow copy deletion and recovery sabotage commands. Groups events into 1-hour windows per host and process. Known ransomware families detected include WannaCry, REvil, Maze, BlackCat, Babuk, Royal, Cuba, AvosLocker, Playcrypt, and BlackByte. A combined signal of mass file encryption plus shadow deletion is rated critical.

critical severity high confidence

Data Sources

File: File Creation Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate encryption tools (BitLocker, VeraCrypt, 7-Zip) encrypting large numbers of files during backup operations
File migration or archival tools that rename files with new extensions during processing
Anti-ransomware tools that create decoy/canary files with ransomware-like extensions for honeypot detection
Disaster recovery testing that involves intentional shadow copy deletion as part of DR exercises

Elastic Security (EQL)

eql

sequence by host.name with maxspan=1h
  [process where event.type == "start" and
   (
     process.command_line like~ "*vssadmin*delete shadows*" or
     process.command_line like~ "*wmic*shadowcopy delete*" or
     process.command_line like~ "*bcdedit*/set*recoveryenabled*no*" or
     process.command_line like~ "*bcdedit*/set*bootstatuspolicy*ignoreallfailures*" or
     process.command_line like~ "*wbadmin delete catalog*" or
     process.command_line like~ "*wbadmin delete systemstatebackup*"
   )]
  [file where event.type in ("creation", "change") and
   file.extension in~ ("encrypted", "locked", "crypt", "enc", "ransom", "cry", "lock64", "cuba", "avos", "avos2", "play", "blackbyte")]

Detects T1486 Data Encrypted for Impact using an EQL sequence: a shadow copy deletion or recovery sabotage command is followed by creation of files with known ransomware extensions on the same host within 1 hour. The sequence enforces temporal ordering — shadow deletion then file encryption — which is the canonical ransomware kill chain. For mass file encryption without preceding shadow deletion, configure a separate threshold rule on the file event query alone with count > 50 per process.

critical severity high confidence

Data Sources

Elastic Endpoint Security agent Winlogbeat with Sysmon module Fleet-managed Windows endpoints

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Enterprise backup software (Veeam, Acronis, Commvault) that deletes VSS snapshots as part of scheduled backup rotation and renames staged files with temporary extensions resembling ransomware markers
BitLocker or VeraCrypt deployment scripts that invoke bcdedit to configure recovery policies on endpoints being encrypted for compliance, producing checkpoint files with .enc or .crypt extensions
Third-party file conversion or archiving tools (OpenSSL enc, GnuPG) used legitimately by developers or security teams that produce .enc or .crypt output files alongside any incidental VSS activity on the same host

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS LastSeen,
  sourceip AS HostIP,
  "Process Name" AS ProcessName,
  SUM(CASE WHEN
    LOWER(UTF8(payload)) LIKE '%.encrypted' OR
    LOWER(UTF8(payload)) LIKE '%.locked' OR
    LOWER(UTF8(payload)) LIKE '%.crypt' OR
    LOWER(UTF8(payload)) LIKE '%.enc' OR
    LOWER(UTF8(payload)) LIKE '%.ransom' OR
    LOWER(UTF8(payload)) LIKE '%.cry' OR
    LOWER(UTF8(payload)) LIKE '%.lock64' OR
    LOWER(UTF8(payload)) LIKE '%.cuba' OR
    LOWER(UTF8(payload)) LIKE '%.avos' OR
    LOWER(UTF8(payload)) LIKE '%.avos2' OR
    LOWER(UTF8(payload)) LIKE '%.play' OR
    LOWER(UTF8(payload)) LIKE '%.blackbyte'
  THEN 1 ELSE 0 END) AS EncryptedFiles,
  SUM(CASE WHEN
    LOWER(UTF8(payload)) LIKE '%vssadmin%delete shadows%' OR
    LOWER(UTF8(payload)) LIKE '%wmic%shadowcopy delete%' OR
    LOWER(UTF8(payload)) LIKE '%bcdedit%recoveryenabled%no%' OR
    LOWER(UTF8(payload)) LIKE '%bcdedit%bootstatuspolicy%ignoreallfailures%' OR
    LOWER(UTF8(payload)) LIKE '%wbadmin delete catalog%' OR
    LOWER(UTF8(payload)) LIKE '%wbadmin delete systemstatebackup%'
  THEN 1 ELSE 0 END) AS ShadowDeletes,
  CASE
    WHEN SUM(CASE WHEN LOWER(UTF8(payload)) LIKE '%.encrypted' OR LOWER(UTF8(payload)) LIKE '%.locked' OR LOWER(UTF8(payload)) LIKE '%.crypt' THEN 1 ELSE 0 END) > 500
      AND SUM(CASE WHEN LOWER(UTF8(payload)) LIKE '%vssadmin%delete shadows%' OR LOWER(UTF8(payload)) LIKE '%wmic%shadowcopy delete%' THEN 1 ELSE 0 END) > 0
      THEN 'critical'
    WHEN SUM(CASE WHEN LOWER(UTF8(payload)) LIKE '%.encrypted' OR LOWER(UTF8(payload)) LIKE '%.locked' OR LOWER(UTF8(payload)) LIKE '%.crypt' THEN 1 ELSE 0 END) > 200
      OR SUM(CASE WHEN LOWER(UTF8(payload)) LIKE '%vssadmin%delete shadows%' OR LOWER(UTF8(payload)) LIKE '%wmic%shadowcopy delete%' THEN 1 ELSE 0 END) > 0
      THEN 'high'
    WHEN SUM(CASE WHEN LOWER(UTF8(payload)) LIKE '%.encrypted' OR LOWER(UTF8(payload)) LIKE '%.locked' THEN 1 ELSE 0 END) > 50
      THEN 'medium'
    ELSE 'low'
  END AS RansomwareConfidence
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND starttime > NOW() - 3600000
  AND (
    LOWER(UTF8(payload)) LIKE '%vssadmin%delete shadows%' OR
    LOWER(UTF8(payload)) LIKE '%wmic%shadowcopy delete%' OR
    LOWER(UTF8(payload)) LIKE '%bcdedit%recoveryenabled%no%' OR
    LOWER(UTF8(payload)) LIKE '%bcdedit%bootstatuspolicy%ignoreallfailures%' OR
    LOWER(UTF8(payload)) LIKE '%wbadmin delete catalog%' OR
    LOWER(UTF8(payload)) LIKE '%wbadmin delete systemstatebackup%' OR
    LOWER(UTF8(payload)) LIKE '%.encrypted' OR
    LOWER(UTF8(payload)) LIKE '%.locked' OR
    LOWER(UTF8(payload)) LIKE '%.crypt' OR
    LOWER(UTF8(payload)) LIKE '%.enc' OR
    LOWER(UTF8(payload)) LIKE '%.ransom' OR
    LOWER(UTF8(payload)) LIKE '%.cry' OR
    LOWER(UTF8(payload)) LIKE '%.lock64' OR
    LOWER(UTF8(payload)) LIKE '%.cuba' OR
    LOWER(UTF8(payload)) LIKE '%.avos' OR
    LOWER(UTF8(payload)) LIKE '%.play' OR
    LOWER(UTF8(payload)) LIKE '%.blackbyte'
  )
GROUP BY sourceip, "Process Name"
HAVING EncryptedFiles > 50 OR ShadowDeletes > 0
ORDER BY RansomwareConfidence DESC, EncryptedFiles DESC

QRadar AQL query detecting T1486 by payload-matching shadow copy deletion commands and ransomware extension file creation events from Windows Sysmon and Security log sources over the past hour. Groups events by source IP and process name, then applies the same confidence scoring tiers (critical/high/medium) as the reference KQL/SPL queries. UTF8(payload) matching is used for broad compatibility across Sysmon XML payloads that may not have fully normalized field mappings.

critical severity medium confidence

Data Sources

Microsoft Windows Security Event Log via WinCollect Microsoft Sysmon via WinCollect Universal DSM Windows Event Forwarding to QRadar

Required Tables

events

False Positives

Automated backup solutions (Veeam, Windows Server Backup service) that delete VSS snapshots during scheduled backup rotation jobs, generating payload matches for shadow deletion patterns
IT security hardening scripts applying CIS benchmarks or DISA STIGs that use bcdedit to disable boot recovery options on servers, triggering the recovery sabotage signal
File encryption utilities (GnuPG, OpenSSL enc, 7-Zip AES) used by users to encrypt sensitive documents for email or storage, producing .enc or .crypt files in bulk when run against directories

Sumo Logic CSE

sql

(_sourceCategory=*windows/sysmon* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where EventCode = "1" OR EventCode = "11"
| if (EventCode = "1" AND (
    toLowerCase(CommandLine) matches "*vssadmin*delete shadows*" OR
    toLowerCase(CommandLine) matches "*wmic*shadowcopy delete*" OR
    toLowerCase(CommandLine) matches "*bcdedit*recoveryenabled*no*" OR
    toLowerCase(CommandLine) matches "*bcdedit*bootstatuspolicy*ignoreallfailures*" OR
    toLowerCase(CommandLine) matches "*wbadmin delete catalog*" OR
    toLowerCase(CommandLine) matches "*wbadmin delete systemstatebackup*"
  ), "ShadowDelete", "") as ShadowDeleteType
| if (EventCode = "11" AND (
    TargetFilename matches "*.encrypted" OR
    TargetFilename matches "*.locked" OR
    TargetFilename matches "*.crypt" OR
    TargetFilename matches "*.enc" OR
    TargetFilename matches "*.ransom" OR
    TargetFilename matches "*.cry" OR
    TargetFilename matches "*.lock64" OR
    TargetFilename matches "*.cuba" OR
    TargetFilename matches "*.avos" OR
    TargetFilename matches "*.avos2" OR
    TargetFilename matches "*.play" OR
    TargetFilename matches "*.blackbyte"
  ), "FileEncrypted", "") as FileEncryptType
| where ShadowDeleteType != "" OR FileEncryptType != ""
| timeslice 1h
| stats
    countif(FileEncryptType = "FileEncrypted") as EncryptedFiles,
    countif(ShadowDeleteType = "ShadowDelete") as ShadowDeletes,
    dcount(TargetFilename) as UniqueFiles,
    values(CommandLine) as Commands
    by Computer, Image, _timeslice
| where EncryptedFiles > 50 OR ShadowDeletes > 0
| if (EncryptedFiles > 500 AND ShadowDeletes > 0, "critical",
    if (EncryptedFiles > 200 OR ShadowDeletes > 0, "high",
    if (EncryptedFiles > 50, "medium", "low"))) as RansomwareConfidence
| fields _timeslice, Computer, Image, EncryptedFiles, ShadowDeletes, UniqueFiles, RansomwareConfidence, Commands
| sort by RansomwareConfidence, EncryptedFiles

Sumo Logic query detecting T1486 ransomware activity by parsing Sysmon EventCode 1 (process creation — shadow copy deletion and recovery sabotage commands) and EventCode 11 (file creation — ransomware extension matches). Applies hourly time bucketing with threshold-based confidence scoring per host and process, matching the logic of the reference KQL/SPL queries. Requires Sysmon data forwarded under a sourceCategory containing 'sysmon' or 'winlogbeat'.

critical severity high confidence

Data Sources

Sumo Logic Sysmon Installed Collector (Windows) Sumo Logic Windows Event Log Source Winlogbeat forwarding to Sumo Logic HTTP Source

Required Tables

_sourceCategory=*windows/sysmon* _sourceCategory=*sysmon* _sourceCategory=*winlogbeat*

False Positives

Enterprise backup agents (Veeam, Veritas NetBackup, Cohesity) that manage VSS snapshot lifecycles and rename staged backup files with temporary extensions that match ransomware extension patterns during backup jobs
IT provisioning workflows using bcdedit or wbadmin during OS imaging or recovery partition configuration, especially during large-scale endpoint rollouts that generate bulk process events
Legitimate encrypted archive creation workflows (GnuPG batch encryption, OpenSSL bulk enc) that produce many .enc or .crypt files when users or scripts encrypt directories of sensitive data for transfer

Google Chronicle / SecOps

yaral

rule t1486_data_encrypted_for_impact {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1486 Data Encrypted for Impact: correlates shadow copy deletion or recovery sabotage process events with ransomware extension file creation on the same host within 1 hour. Requires at least 10 encrypted files alongside a shadow deletion event to reduce false positives from isolated admin activity."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1486"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1486/"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.hostname = $host
    (
      re.regex($proc.target.process.command_line, `(?i)vssadmin\s+delete\s+shadows`) or
      re.regex($proc.target.process.command_line, `(?i)wmic\s+shadowcopy\s+delete`) or
      re.regex($proc.target.process.command_line, `(?i)bcdedit\s+/set.*recoveryenabled\s+no`) or
      re.regex($proc.target.process.command_line, `(?i)bcdedit\s+/set.*bootstatuspolicy.*ignoreallfailures`) or
      re.regex($proc.target.process.command_line, `(?i)wbadmin\s+delete\s+catalog`) or
      re.regex($proc.target.process.command_line, `(?i)wbadmin\s+delete\s+systemstatebackup`)
    )

    $file.metadata.event_type = "FILE_CREATION"
    $file.principal.hostname = $host
    re.regex($file.target.file.full_path, `(?i)\.(encrypted|locked|crypt|enc|ransom|cry|lock64|cuba|avos|avos2|play|blackbyte)$`)

  match:
    $host over 1h

  condition:
    $proc and #file > 10
}

Chronicle YARA-L 2.0 rule detecting T1486 Data Encrypted for Impact by correlating shadow copy deletion or Windows recovery sabotage process events with ransomware-extension file creation events on the same host within a 1-hour sliding window. The match section groups by hostname over 1h and the condition requires at least one shadow deletion process AND more than 10 ransomware-extension file creation events, providing a high-confidence combined signal. For standalone shadow deletion alerting (no file threshold), a separate single-event rule is recommended.

critical severity high confidence

Data Sources

Google Chronicle UDM ingestion Windows Event Log via Chronicle Forwarder Microsoft Sysmon via Chronicle Forwarder CrowdStrike Falcon via Chronicle integration

Required Tables

UDM PROCESS_LAUNCH events UDM FILE_CREATION events

False Positives

Enterprise disk encryption deployment (BitLocker provisioning via bcdedit, VeraCrypt volume creation) that modifies boot recovery settings and creates encrypted volume container files with .enc or similar extensions on the same host within the detection window
Backup infrastructure maintenance tasks where backup admins run VSS snapshot deletion commands during scheduled maintenance windows while legitimate .crypt files exist from prior encryption operations on the same endpoint
Authorized red team or penetration testing exercises simulating ransomware behavior on in-scope hosts that are not excluded from Chronicle detection rules, generating correlated process and file events

CrowdStrike LogScale (CQL)

cql

#repo = "falcon"
| #event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2", "FileWritten")
| ShadowDeleteMatch := if(
    #event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2") AND
    CommandLine = /(?i)(vssadmin\s+delete\s+shadows|wmic\s+shadowcopy\s+delete|bcdedit\s+\/set.*recoveryenabled\s+no|bcdedit\s+\/set.*bootstatuspolicy.*ignoreallfailures|wbadmin\s+delete\s+catalog|wbadmin\s+delete\s+systemstatebackup)/,
    1, 0)
| RansomwareFileMatch := if(
    #event_simpleName = "FileWritten" AND
    TargetFileName = /\.(encrypted|locked|crypt|enc|ransom|cry|lock64|cuba|avos|avos2|play|blackbyte)$/i,
    1, 0)
| where ShadowDeleteMatch = 1 OR RansomwareFileMatch = 1
| groupBy([ComputerName, ImageFileName], function=[
    sum(RansomwareFileMatch, as=EncryptedFiles),
    sum(ShadowDeleteMatch, as=ShadowDeletes),
    collect([CommandLine], limit=10, as=Commands),
    min(timestamp, as=FirstSeen),
    max(timestamp, as=LastSeen)
  ], limit=10000)
| where EncryptedFiles > 50 OR ShadowDeletes > 0
| RansomwareConfidence := case {
    EncryptedFiles > 500 AND ShadowDeletes > 0, "critical";
    EncryptedFiles > 200 OR ShadowDeletes > 0, "high";
    EncryptedFiles > 50, "medium";
    default, "low"
  }
| sort(EncryptedFiles, order=desc)
| select([FirstSeen, LastSeen, ComputerName, ImageFileName, EncryptedFiles, ShadowDeletes, RansomwareConfidence, Commands])

CrowdStrike LogScale (Falcon) query detecting T1486 Data Encrypted for Impact by correlating ProcessRollup2/SyntheticProcessRollup2 events containing shadow copy deletion and recovery sabotage commands with FileWritten events using known ransomware extensions. Groups by endpoint hostname and initiating process image, applies configurable thresholds, and produces confidence scoring matching the reference KQL/SPL logic. Requires CrowdStrike Falcon EDR file write monitoring policy to be enabled for FileWritten events to be present.

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2) CrowdStrike Falcon EDR with file write monitoring enabled (FileWritten) Falcon Data Replicator (FDR) stream

Required Tables

ProcessRollup2 SyntheticProcessRollup2 FileWritten

False Positives

Third-party endpoint management or backup agents running on hosts with high file I/O activity (Veeam agent, Acronis Cyber Backup) that trigger FileWritten events for staging files with temporary extensions and may invoke VSS management commands
CrowdStrike sensor itself or competing EDR products during agent upgrades or file quarantine operations that rename files with modified extensions and execute recovery-related system utilities
Automated patch management and software deployment platforms (SCCM, Intune, Tanium) running post-patch scripts that invoke bcdedit for boot configuration and generate bulk file writes with non-standard extensions during staged rollouts

Sigma rule & cross-platform mapping

The detection logic for Data Encrypted for Impact (T1486) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1486 Sigma rules on detection.fyi

Platform-specific guides for T1486

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (9)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Volume Shadow Copy Deletion via vssadmin
Expected signal: Sysmon Event ID 1: Process creation for vssadmin.exe with 'delete shadows /all /quiet' command line. Windows Security Event ID 4688 with same details. VSS Event ID 8224 in System log confirming shadow deletion.
Test 2Recovery Sabotage via bcdedit
Expected signal: Sysmon Event ID 1: Two process creation events for bcdedit.exe with /set commands. Windows Security Event ID 4688 with command line auditing. Registry modification events for BCD store changes.
Test 3Mass File Encryption Simulation
Expected signal: Sysmon Event ID 11: 100 file creation events for .docx files, followed by 100 file rename events to .docx.encrypted. The burst of file operations in a short time window from a single process is the key telemetry pattern.
Test 4Ransom Note Drop Simulation
Expected signal: Sysmon Event ID 11: 10 file creation events for README_DECRYPT.txt in different directories. The identical filename across multiple directories is the key pattern.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1486 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data Encrypted for Impact

What is T1486 Data Encrypted for Impact?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1486

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Impact

Popular Detections

What is T1486 Data Encrypted for Impact?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1486

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Impact

Popular Detections

Get new detections in your inbox