T1486 Elastic Security · Elastic

Detect Data Encrypted for Impact in Elastic Security

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted and often renamed or tagged with specific file markers. Adversaries may also encrypt critical system files, disk partitions, MBR, virtual machines hosted on ESXi, or cloud storage objects.

MITRE ATT&CK

Tactic
Impact
Technique
T1486 Data Encrypted for Impact
Canonical reference
https://attack.mitre.org/techniques/T1486/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=1h
  [process where event.type == "start" and
   (
     process.command_line like~ "*vssadmin*delete shadows*" or
     process.command_line like~ "*wmic*shadowcopy delete*" or
     process.command_line like~ "*bcdedit*/set*recoveryenabled*no*" or
     process.command_line like~ "*bcdedit*/set*bootstatuspolicy*ignoreallfailures*" or
     process.command_line like~ "*wbadmin delete catalog*" or
     process.command_line like~ "*wbadmin delete systemstatebackup*"
   )]
  [file where event.type in ("creation", "change") and
   file.extension in~ ("encrypted", "locked", "crypt", "enc", "ransom", "cry", "lock64", "cuba", "avos", "avos2", "play", "blackbyte")]
critical severity high confidence

Detects T1486 Data Encrypted for Impact using an EQL sequence: a shadow copy deletion or recovery sabotage command is followed by creation of files with known ransomware extensions on the same host within 1 hour. The sequence enforces temporal ordering — shadow deletion then file encryption — which is the canonical ransomware kill chain. For mass file encryption without preceding shadow deletion, configure a separate threshold rule on the file event query alone with count > 50 per process.

Data Sources

Elastic Endpoint Security agentWinlogbeat with Sysmon moduleFleet-managed Windows endpoints

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*winlogbeat-*

False Positives & Tuning

  • Enterprise backup software (Veeam, Acronis, Commvault) that deletes VSS snapshots as part of scheduled backup rotation and renames staged files with temporary extensions resembling ransomware markers
  • BitLocker or VeraCrypt deployment scripts that invoke bcdedit to configure recovery policies on endpoints being encrypted for compliance, producing checkpoint files with .enc or .crypt extensions
  • Third-party file conversion or archiving tools (OpenSSL enc, GnuPG) used legitimately by developers or security teams that produce .enc or .crypt output files alongside any incidental VSS activity on the same host
Download portable Sigma rule (.yml)

Other platforms for T1486

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Volume Shadow Copy Deletion via vssadmin

    Expected signal: Sysmon Event ID 1: Process creation for vssadmin.exe with 'delete shadows /all /quiet' command line. Windows Security Event ID 4688 with same details. VSS Event ID 8224 in System log confirming shadow deletion.

  2. Test 2Recovery Sabotage via bcdedit

    Expected signal: Sysmon Event ID 1: Two process creation events for bcdedit.exe with /set commands. Windows Security Event ID 4688 with command line auditing. Registry modification events for BCD store changes.

  3. Test 3Mass File Encryption Simulation

    Expected signal: Sysmon Event ID 11: 100 file creation events for .docx files, followed by 100 file rename events to .docx.encrypted. The burst of file operations in a short time window from a single process is the key telemetry pattern.

  4. Test 4Ransom Note Drop Simulation

    Expected signal: Sysmon Event ID 11: 10 file creation events for README_DECRYPT.txt in different directories. The identical filename across multiple directories is the key pattern.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1486 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1490Inhibit System RecoveryT1489Service StopT1491.001Internal DefacementT1021.002SMB/Windows Admin SharesT1047Windows Management InstrumentationT1003OS Credential DumpingT1078Valid AccountsT1222File and Directory Permissions ModificationT1529System Shutdown/RebootT1048Exfiltration Over Alternative Protocol

Same Tactic: Impact

Popular Detections