T1486 IBM QRadar · QRadar

Detect Data Encrypted for Impact in IBM QRadar

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted and often renamed or tagged with specific file markers. Adversaries may also encrypt critical system files, disk partitions, MBR, virtual machines hosted on ESXi, or cloud storage objects.

MITRE ATT&CK

Tactic
Impact
Technique
T1486 Data Encrypted for Impact
Canonical reference
https://attack.mitre.org/techniques/T1486/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS LastSeen,
  sourceip AS HostIP,
  "Process Name" AS ProcessName,
  SUM(CASE WHEN
    LOWER(UTF8(payload)) LIKE '%.encrypted' OR
    LOWER(UTF8(payload)) LIKE '%.locked' OR
    LOWER(UTF8(payload)) LIKE '%.crypt' OR
    LOWER(UTF8(payload)) LIKE '%.enc' OR
    LOWER(UTF8(payload)) LIKE '%.ransom' OR
    LOWER(UTF8(payload)) LIKE '%.cry' OR
    LOWER(UTF8(payload)) LIKE '%.lock64' OR
    LOWER(UTF8(payload)) LIKE '%.cuba' OR
    LOWER(UTF8(payload)) LIKE '%.avos' OR
    LOWER(UTF8(payload)) LIKE '%.avos2' OR
    LOWER(UTF8(payload)) LIKE '%.play' OR
    LOWER(UTF8(payload)) LIKE '%.blackbyte'
  THEN 1 ELSE 0 END) AS EncryptedFiles,
  SUM(CASE WHEN
    LOWER(UTF8(payload)) LIKE '%vssadmin%delete shadows%' OR
    LOWER(UTF8(payload)) LIKE '%wmic%shadowcopy delete%' OR
    LOWER(UTF8(payload)) LIKE '%bcdedit%recoveryenabled%no%' OR
    LOWER(UTF8(payload)) LIKE '%bcdedit%bootstatuspolicy%ignoreallfailures%' OR
    LOWER(UTF8(payload)) LIKE '%wbadmin delete catalog%' OR
    LOWER(UTF8(payload)) LIKE '%wbadmin delete systemstatebackup%'
  THEN 1 ELSE 0 END) AS ShadowDeletes,
  CASE
    WHEN SUM(CASE WHEN LOWER(UTF8(payload)) LIKE '%.encrypted' OR LOWER(UTF8(payload)) LIKE '%.locked' OR LOWER(UTF8(payload)) LIKE '%.crypt' THEN 1 ELSE 0 END) > 500
      AND SUM(CASE WHEN LOWER(UTF8(payload)) LIKE '%vssadmin%delete shadows%' OR LOWER(UTF8(payload)) LIKE '%wmic%shadowcopy delete%' THEN 1 ELSE 0 END) > 0
      THEN 'critical'
    WHEN SUM(CASE WHEN LOWER(UTF8(payload)) LIKE '%.encrypted' OR LOWER(UTF8(payload)) LIKE '%.locked' OR LOWER(UTF8(payload)) LIKE '%.crypt' THEN 1 ELSE 0 END) > 200
      OR SUM(CASE WHEN LOWER(UTF8(payload)) LIKE '%vssadmin%delete shadows%' OR LOWER(UTF8(payload)) LIKE '%wmic%shadowcopy delete%' THEN 1 ELSE 0 END) > 0
      THEN 'high'
    WHEN SUM(CASE WHEN LOWER(UTF8(payload)) LIKE '%.encrypted' OR LOWER(UTF8(payload)) LIKE '%.locked' THEN 1 ELSE 0 END) > 50
      THEN 'medium'
    ELSE 'low'
  END AS RansomwareConfidence
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND starttime > NOW() - 3600000
  AND (
    LOWER(UTF8(payload)) LIKE '%vssadmin%delete shadows%' OR
    LOWER(UTF8(payload)) LIKE '%wmic%shadowcopy delete%' OR
    LOWER(UTF8(payload)) LIKE '%bcdedit%recoveryenabled%no%' OR
    LOWER(UTF8(payload)) LIKE '%bcdedit%bootstatuspolicy%ignoreallfailures%' OR
    LOWER(UTF8(payload)) LIKE '%wbadmin delete catalog%' OR
    LOWER(UTF8(payload)) LIKE '%wbadmin delete systemstatebackup%' OR
    LOWER(UTF8(payload)) LIKE '%.encrypted' OR
    LOWER(UTF8(payload)) LIKE '%.locked' OR
    LOWER(UTF8(payload)) LIKE '%.crypt' OR
    LOWER(UTF8(payload)) LIKE '%.enc' OR
    LOWER(UTF8(payload)) LIKE '%.ransom' OR
    LOWER(UTF8(payload)) LIKE '%.cry' OR
    LOWER(UTF8(payload)) LIKE '%.lock64' OR
    LOWER(UTF8(payload)) LIKE '%.cuba' OR
    LOWER(UTF8(payload)) LIKE '%.avos' OR
    LOWER(UTF8(payload)) LIKE '%.play' OR
    LOWER(UTF8(payload)) LIKE '%.blackbyte'
  )
GROUP BY sourceip, "Process Name"
HAVING EncryptedFiles > 50 OR ShadowDeletes > 0
ORDER BY RansomwareConfidence DESC, EncryptedFiles DESC
critical severity medium confidence

QRadar AQL query detecting T1486 by payload-matching shadow copy deletion commands and ransomware extension file creation events from Windows Sysmon and Security log sources over the past hour. Groups events by source IP and process name, then applies the same confidence scoring tiers (critical/high/medium) as the reference KQL/SPL queries. UTF8(payload) matching is used for broad compatibility across Sysmon XML payloads that may not have fully normalized field mappings.

Data Sources

Microsoft Windows Security Event Log via WinCollectMicrosoft Sysmon via WinCollect Universal DSMWindows Event Forwarding to QRadar

Required Tables

events

False Positives & Tuning

  • Automated backup solutions (Veeam, Windows Server Backup service) that delete VSS snapshots during scheduled backup rotation jobs, generating payload matches for shadow deletion patterns
  • IT security hardening scripts applying CIS benchmarks or DISA STIGs that use bcdedit to disable boot recovery options on servers, triggering the recovery sabotage signal
  • File encryption utilities (GnuPG, OpenSSL enc, 7-Zip AES) used by users to encrypt sensitive documents for email or storage, producing .enc or .crypt files in bulk when run against directories
Download portable Sigma rule (.yml)

Other platforms for T1486

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Volume Shadow Copy Deletion via vssadmin

    Expected signal: Sysmon Event ID 1: Process creation for vssadmin.exe with 'delete shadows /all /quiet' command line. Windows Security Event ID 4688 with same details. VSS Event ID 8224 in System log confirming shadow deletion.

  2. Test 2Recovery Sabotage via bcdedit

    Expected signal: Sysmon Event ID 1: Two process creation events for bcdedit.exe with /set commands. Windows Security Event ID 4688 with command line auditing. Registry modification events for BCD store changes.

  3. Test 3Mass File Encryption Simulation

    Expected signal: Sysmon Event ID 11: 100 file creation events for .docx files, followed by 100 file rename events to .docx.encrypted. The burst of file operations in a short time window from a single process is the key telemetry pattern.

  4. Test 4Ransom Note Drop Simulation

    Expected signal: Sysmon Event ID 11: 10 file creation events for README_DECRYPT.txt in different directories. The identical filename across multiple directories is the key pattern.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1486 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1490Inhibit System RecoveryT1489Service StopT1491.001Internal DefacementT1021.002SMB/Windows Admin SharesT1047Windows Management InstrumentationT1003OS Credential DumpingT1078Valid AccountsT1222File and Directory Permissions ModificationT1529System Shutdown/RebootT1048Exfiltration Over Alternative Protocol

Same Tactic: Impact

Popular Detections