THREAT-Ransomware-StagingIndicators

Ransomware Pre-Deployment Staging Indicators

The hours before ransomware deployment follow a repeatable pattern regardless of group: network share enumeration, credential dumping, detection tool impairment, and staging of the ransomware binary in accessible locations. NCSC UK 2025 threat report identified Akira, Black Basta, and Play as the most active ransomware groups targeting UK SMBs. The staging sequence typically occurs within 1-48 hours before encryption begins, offering a detection opportunity. Key indicators: (1) net use or net share enumeration across the network; (2) vssadmin.exe or wmic delete shadowstorage (shadow copy deletion — the final indicator before encryption); (3) remote execution tool setup (PsExec, PAExec, WMI, WinRM) preparing for domain-wide payload deployment; (4) large file transfers or staging directories created; (5) AV/EDR impairment attempts. This detection targets the staging window before encryption — detection here prevents the actual ransomware event.

Microsoft Sentinel / Defender

kusto

// THREAT: Ransomware Pre-Deployment Staging Indicators
// Detects the staging sequence used by Akira, Black Basta, LockBit, Play
// before mass ransomware deployment across the domain

// Indicator 1: Shadow copy deletion (T1490 — immediate escalation)
let ShadowDelete = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "vssadmin.exe" and ProcessCommandLine has_any ("delete", "resize", "shadowstorage"))
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("shadowcopy", "delete", "shadow"))
    or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Delete-ShadowCopy", "Win32_ShadowCopy", "vssadmin"))
    or (FileName =~ "bcdedit.exe" and ProcessCommandLine has_any ("recoveryenabled", "no", "bootstatuspolicy", "ignoreallfailures"))
  )
| extend StageIndicator = "ShadowCopyDeletion"
| extend StagingRisk = 100;
// Indicator 2: Network share enumeration (mass reconnaissance)
let ShareEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "net.exe" and ProcessCommandLine has_any ("view", "share", "use"))
    or (FileName =~ "net1.exe" and ProcessCommandLine has_any ("view", "share"))
    or (FileName =~ "netscan.exe")
    or (FileName =~ "AdFind.exe")
    or (FileName =~ "nltest.exe" and ProcessCommandLine has_any ("dclist", "domain_trusts", "server", "all_trusts"))
  )
| summarize EnumCount=count() by DeviceName, AccountName, bin(Timestamp, 15m)
| where EnumCount >= 5
| extend StageIndicator = "NetworkShareEnumeration"
| extend StagingRisk = 70;
// Indicator 3: Remote execution tools for mass deployment
let RemoteExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe")
    or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:" and ProcessCommandLine has "process call create")
    or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Invoke-WMIMethod", "Invoke-Command", "New-PSSession")
        and ProcessCommandLine has_any ("-ComputerName", "-cn") and DeviceName != AccountDomain)
| extend StageIndicator = "RemoteExecutionToolUsed"
| extend StagingRisk = 80;
// Indicator 4: AV/EDR impairment (T1562.001)
let DefenseImpair = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "sc.exe" and ProcessCommandLine has_any ("stop", "delete", "config") and
     ProcessCommandLine has_any ("WinDefend", "Sense", "MpsSvc", "wscsvc", "WdFilter", "WdNisSvc",
        "SecurityHealthService", "SentinelAgent", "CSFalconService"))
    or (FileName =~ "taskkill.exe" and ProcessCommandLine has_any (
        "msmpeng", "mssense", "csagent", "sentinelagent", "cbdaemon", "mbam"))
    or (FileName =~ "reg.exe" and ProcessCommandLine has_any ("add", "delete") and
     ProcessCommandLine has_any ("WinDefend", "DisableAntiSpyware", "DisableRealtimeMonitoring",
        "SOFTWARE\\Policies\\Microsoft\\Windows Defender"))
  )
| extend StageIndicator = "DefenseImpairmentAttempt"
| extend StagingRisk = 90;
union ShadowDelete, RemoteExec, DefenseImpair
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, StageIndicator, StagingRisk
| sort by StagingRisk desc, Timestamp desc

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents) Sysmon Windows Security Event Log

Required Tables

DeviceProcessEvents

False Positives

Legitimate IT backup tools (Veeam, Acronis, Backup Exec) that use vssadmin to manage shadow copies
System administrators using net view/net share for legitimate inventory
PsExec used by IT staff for remote administration or software deployment during maintenance windows
Endpoint management platforms (SCCM, Qualys, Tanium) that invoke WMI remote execution for patch deployment
Security testing by authorised penetration testers (shadow copy deletion should be excluded from scope)

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  (
    (Image="*\\vssadmin.exe" AND (CommandLine="*delete*" OR CommandLine="*resize*" OR CommandLine="*shadowstorage*"))
    OR (Image="*\\wmic.exe" AND CommandLine="*shadowcopy*" AND CommandLine="*delete*")
    OR (Image="*\\bcdedit.exe" AND (CommandLine="*recoveryenabled*" OR CommandLine="*bootstatuspolicy*"))
  )
  OR
  (
    Image IN ("*\\psexec.exe", "*\\psexec64.exe", "*\\paexec.exe", "*\\remcom.exe")
  )
  OR
  (
    Image="*\\sc.exe" AND
    (CommandLine="*stop*" OR CommandLine="*delete*" OR CommandLine="*config*") AND
    (CommandLine="*WinDefend*" OR CommandLine="*Sense*" OR CommandLine="*MpsSvc*" OR
     CommandLine="*SentinelAgent*" OR CommandLine="*CSFalconService*" OR CommandLine="*mbam*")
  )
  OR
  (
    Image="*\\taskkill.exe" AND
    (CommandLine="*msmpeng*" OR CommandLine="*mssense*" OR CommandLine="*csagent*" OR
     CommandLine="*sentinelagent*" OR CommandLine="*cbdaemon*")
  )
)
| eval StagingIndicator=case(
    match(Image, "(?i)vssadmin|bcdedit") OR (match(Image, "(?i)wmic") AND match(CommandLine, "(?i)shadowcopy.*delete")),
    "ShadowCopyDeletion_CRITICAL",
    match(Image, "(?i)(psexec|paexec|remcom)"),
    "RemoteExecTool_HIGH",
    match(Image, "(?i)sc\.exe") OR match(Image, "(?i)taskkill"),
    "DefenseImpairment_HIGH",
    true(), "Other_MEDIUM"
  )
| eval RiskScore=case(
    StagingIndicator="ShadowCopyDeletion_CRITICAL", 100,
    StagingIndicator="DefenseImpairment_HIGH", 90,
    StagingIndicator="RemoteExecTool_HIGH", 80,
    true(), 60
  )
| stats
    count AS EventCount,
    values(StagingIndicator) AS Indicators,
    values(CommandLine) AS Commands,
    max(RiskScore) AS MaxRisk,
    values(Image) AS Binaries
  BY host, User, _time span=30m
| eval ThreatActors="Akira, Black Basta, LockBit, Play, Medusa"
| sort - MaxRisk

critical severity high confidence

Data Sources

Sysmon via Windows Event Log Windows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Veeam or other backup tools managing VSS shadow copies
IT administrators using PsExec for remote administration tasks
Security tools stopping conflicting endpoint protection during upgrade

Elastic Security (EQL)

eql

any where event.category == "process" and event.type == "start" and (
  /* Shadow copy deletion - CRITICAL (T1490) */
  (process.name : "vssadmin.exe" and process.command_line : ("*delete*", "*shadowstorage*", "*resize*")) or
  (process.name : "wmic.exe" and process.command_line : "*shadowcopy*delete*") or
  (process.name : "bcdedit.exe" and process.command_line : ("*recoveryenabled*", "*bootstatuspolicy*", "*ignoreallfailures*")) or
  (process.name : "powershell.exe" and process.command_line : ("*Delete-ShadowCopy*", "*Win32_ShadowCopy*delete*", "*vssadmin*delete*")) or
  /* Remote execution tool staging - HIGH (T1021.002) */
  process.name : ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe") or
  (process.name : "wmic.exe" and process.command_line : "*/node:*" and process.command_line : "*process call create*") or
  /* Defense impairment - HIGH (T1562.001) */
  (
    process.name : "sc.exe" and
    process.command_line : ("*stop*", "*delete*", "*config*") and
    process.command_line : ("*WinDefend*", "*Sense*", "*MpsSvc*", "*SentinelAgent*", "*CSFalconService*", "*WdFilter*", "*WdNisSvc*", "*SecurityHealthService*")
  ) or
  (
    process.name : "taskkill.exe" and
    process.command_line : ("*msmpeng*", "*mssense*", "*csagent*", "*sentinelagent*", "*cbdaemon*", "*mbam*")
  ) or
  (
    process.name : "reg.exe" and
    process.command_line : ("*add*", "*delete*") and
    process.command_line : ("*DisableAntiSpyware*", "*DisableRealtimeMonitoring*", "*Windows Defender*", "*WinDefend*")
  )
)

critical severity high confidence

Data Sources

Elastic Endpoint Security (elastic-agent) Windows Sysmon via Elastic Agent Fleet logs-endpoint.events.process-* (ECS process events)

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-*

False Positives

Backup administrators running legitimate VSS snapshot management via vssadmin delete on dedicated backup servers as part of scheduled retention policy enforcement (Veeam, Commvault, Veritas agents)
IT operations teams using PsExec or PAExec for authorized remote software deployment, OS patch distribution, or incident response tasks across domain-joined endpoints during maintenance windows
Security platform migration projects that stop or disable incumbent AV/EDR services (WinDefend, Sense, legacy AV) using sc.exe before installing a replacement endpoint security stack

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  devicename AS ComputerName,
  username AS Username,
  QIDNAME(qid) AS EventName,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CASE
    WHEN (
      (UTF8(payload) ILIKE '%vssadmin%' AND (UTF8(payload) ILIKE '%delete%' OR UTF8(payload) ILIKE '%shadowstorage%'))
      OR (UTF8(payload) ILIKE '%wmic%' AND UTF8(payload) ILIKE '%shadowcopy%' AND UTF8(payload) ILIKE '%delete%')
      OR (UTF8(payload) ILIKE '%bcdedit%' AND (UTF8(payload) ILIKE '%recoveryenabled%' OR UTF8(payload) ILIKE '%bootstatuspolicy%'))
      OR (UTF8(payload) ILIKE '%powershell%' AND (UTF8(payload) ILIKE '%Delete-ShadowCopy%' OR UTF8(payload) ILIKE '%Win32_ShadowCopy%delete%'))
    ) THEN 'ShadowCopyDeletion_CRITICAL'
    WHEN (
      UTF8(payload) ILIKE '%psexec.exe%' OR UTF8(payload) ILIKE '%psexec64.exe%'
      OR UTF8(payload) ILIKE '%paexec.exe%' OR UTF8(payload) ILIKE '%remcom.exe%'
      OR (UTF8(payload) ILIKE '%wmic%' AND UTF8(payload) ILIKE '%/node:%' AND UTF8(payload) ILIKE '%process call create%')
    ) THEN 'RemoteExecTool_HIGH'
    WHEN (
      (UTF8(payload) ILIKE '%\sc.exe%' OR UTF8(payload) ILIKE '% sc %')
      AND (UTF8(payload) ILIKE '%stop%' OR UTF8(payload) ILIKE '%delete%' OR UTF8(payload) ILIKE '%config%')
      AND (UTF8(payload) ILIKE '%WinDefend%' OR UTF8(payload) ILIKE '%SentinelAgent%'
           OR UTF8(payload) ILIKE '%CSFalconService%' OR UTF8(payload) ILIKE '%MpsSvc%'
           OR UTF8(payload) ILIKE '%WdFilter%' OR UTF8(payload) ILIKE '%WdNisSvc%')
    ) THEN 'DefenseImpairment_HIGH'
    WHEN (
      UTF8(payload) ILIKE '%taskkill%'
      AND (UTF8(payload) ILIKE '%msmpeng%' OR UTF8(payload) ILIKE '%mssense%'
           OR UTF8(payload) ILIKE '%csagent%' OR UTF8(payload) ILIKE '%sentinelagent%'
           OR UTF8(payload) ILIKE '%cbdaemon%' OR UTF8(payload) ILIKE '%mbam%')
    ) THEN 'DefenseImpairment_HIGH'
    ELSE 'Unknown'
  END AS StagingIndicator,
  CASE
    WHEN (UTF8(payload) ILIKE '%vssadmin%delete%' OR UTF8(payload) ILIKE '%bcdedit%recoveryenabled%'
          OR UTF8(payload) ILIKE '%wmic%shadowcopy%delete%') THEN 100
    WHEN (UTF8(payload) ILIKE '%sc.exe%stop%WinDefend%' OR UTF8(payload) ILIKE '%taskkill%msmpeng%'
          OR UTF8(payload) ILIKE '%taskkill%sentinelagent%') THEN 90
    WHEN (UTF8(payload) ILIKE '%psexec%' OR UTF8(payload) ILIKE '%paexec%' OR UTF8(payload) ILIKE '%remcom%') THEN 80
    ELSE 60
  END AS RiskScore,
  UTF8(payload) AS RawEvent
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 232, 261)
  AND (
    (UTF8(payload) ILIKE '%vssadmin%' AND (UTF8(payload) ILIKE '%delete%' OR UTF8(payload) ILIKE '%shadowstorage%'))
    OR (UTF8(payload) ILIKE '%wmic%' AND UTF8(payload) ILIKE '%shadowcopy%' AND UTF8(payload) ILIKE '%delete%')
    OR (UTF8(payload) ILIKE '%bcdedit%' AND (UTF8(payload) ILIKE '%recoveryenabled%' OR UTF8(payload) ILIKE '%bootstatuspolicy%'))
    OR (UTF8(payload) ILIKE '%powershell%' AND (UTF8(payload) ILIKE '%Delete-ShadowCopy%' OR UTF8(payload) ILIKE '%Win32_ShadowCopy%'))
    OR UTF8(payload) ILIKE '%psexec.exe%'
    OR UTF8(payload) ILIKE '%paexec.exe%'
    OR UTF8(payload) ILIKE '%remcom.exe%'
    OR (
      (UTF8(payload) ILIKE '%\sc.exe%' OR UTF8(payload) ILIKE '%sc.exe%')
      AND (UTF8(payload) ILIKE '%stop%' OR UTF8(payload) ILIKE '%delete%')
      AND (UTF8(payload) ILIKE '%WinDefend%' OR UTF8(payload) ILIKE '%SentinelAgent%' OR UTF8(payload) ILIKE '%CSFalconService%')
    )
    OR (
      UTF8(payload) ILIKE '%taskkill%'
      AND (UTF8(payload) ILIKE '%msmpeng%' OR UTF8(payload) ILIKE '%mssense%'
           OR UTF8(payload) ILIKE '%csagent%' OR UTF8(payload) ILIKE '%sentinelagent%')
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY RiskScore DESC, starttime DESC
LIMIT 500

critical severity high confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log (EID 4688 — Process Create) Microsoft Sysmon Event Log (EID 1 — Process Create) QRadar DSM for Microsoft Windows

Required Tables

events

False Positives

Backup software agents (Veeam, Commvault, Windows Server Backup) that invoke vssadmin to delete aged shadow copies during scheduled backup retention enforcement on backup servers
Authorized remote administration via PsExec or PAExec by helpdesk and sysadmin teams during maintenance windows, software rollouts, or post-incident remediation tasks across managed endpoints
Endpoint security platform migrations where operations engineers use sc.exe to stop and remove incumbent AV or EDR services before deploying a replacement — common during quarterly tooling refresh cycles

Sumo Logic CSE

sql

(_sourceCategory=*/Windows/Sysmon* OR _sourceCategory=*/WinEventLog/Security*)
| where (%"EventID" = "1" or %"EventID" = "4688" or EventID = 1 or EventID = 4688)
| parse field=_raw "Image: *\r" as Image nodrop
| parse field=_raw "CommandLine: *\r" as CommandLine nodrop
| parse field=_raw "Computer: *\r" as Computer nodrop
| parse field=_raw "User: *\r" as User nodrop
| parse field=_raw "NewProcessName: *\r" as NewProcessName nodrop
| parse field=_raw "CommandLine: *\r" as CommandLine2 nodrop
| if (isEmpty(Image), NewProcessName, Image) as ProcImage
| where (
    (ProcImage matches "*vssadmin.exe" and (CommandLine matches "*delete*" or CommandLine matches "*shadowstorage*" or CommandLine matches "*resize*"))
    or (ProcImage matches "*wmic.exe" and CommandLine matches "*shadowcopy*delete*")
    or (ProcImage matches "*bcdedit.exe" and (CommandLine matches "*recoveryenabled*" or CommandLine matches "*bootstatuspolicy*"))
    or (ProcImage matches "*powershell.exe" and (CommandLine matches "*Delete-ShadowCopy*" or CommandLine matches "*Win32_ShadowCopy*delete*"))
    or ProcImage matches "*psexec.exe"
    or ProcImage matches "*psexec64.exe"
    or ProcImage matches "*paexec.exe"
    or ProcImage matches "*remcom.exe"
    or (ProcImage matches "*sc.exe" and (CommandLine matches "*stop*" or CommandLine matches "*delete*" or CommandLine matches "*config*")
        and (CommandLine matches "*WinDefend*" or CommandLine matches "*SentinelAgent*"
             or CommandLine matches "*CSFalconService*" or CommandLine matches "*MpsSvc*"
             or CommandLine matches "*WdFilter*"))
    or (ProcImage matches "*taskkill.exe" and (CommandLine matches "*msmpeng*" or CommandLine matches "*mssense*"
        or CommandLine matches "*csagent*" or CommandLine matches "*sentinelagent*" or CommandLine matches "*cbdaemon*"))
    or (ProcImage matches "*reg.exe" and (CommandLine matches "*DisableAntiSpyware*" or CommandLine matches "*DisableRealtimeMonitoring*")
        and CommandLine matches "*Defender*")
  )
| eval StagingIndicator = if(
    (ProcImage matches "*vssadmin*" or ProcImage matches "*bcdedit*"
     or (ProcImage matches "*wmic*" and CommandLine matches "*shadowcopy*")
     or (ProcImage matches "*powershell*" and CommandLine matches "*ShadowCopy*")),
    "ShadowCopyDeletion_CRITICAL",
    if(ProcImage matches "*psexec*" or ProcImage matches "*paexec*" or ProcImage matches "*remcom*",
    "RemoteExecTool_HIGH",
    if(ProcImage matches "*sc.exe*" or ProcImage matches "*taskkill*" or ProcImage matches "*reg.exe*",
    "DefenseImpairment_HIGH",
    "StagingIndicator_MEDIUM")))
| eval RiskScore = if(StagingIndicator = "ShadowCopyDeletion_CRITICAL", 100,
    if(StagingIndicator = "DefenseImpairment_HIGH", 90,
    if(StagingIndicator = "RemoteExecTool_HIGH", 80, 60)))
| timeslice 30m
| stats
    count as EventCount,
    values(StagingIndicator) as Indicators,
    max(RiskScore) as MaxRisk,
    values(ProcImage) as Binaries,
    values(CommandLine) as Commands
    by _timeslice, Computer, User
| sort by MaxRisk desc

critical severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon (Event ID 1 — Process Create) Windows Security Event Log (Event ID 4688 — Process Create)

Required Tables

_sourceCategory=*/Windows/Sysmon* _sourceCategory=*/WinEventLog/Security*

False Positives

Scheduled backup jobs that invoke vssadmin to delete aged shadow copies as part of storage quota management or backup retention policy on backup infrastructure (Veeam proxies, DPM servers)
Help desk or sysadmin use of PsExec or PAExec for legitimate remote task execution during routine support, software deployment, or authorized post-incident remediation across the domain
Planned security tooling migrations where operations teams use sc.exe stop/delete to remove incumbent AV or EDR services before installing a replacement endpoint agent — common during quarterly platform refresh

Google Chronicle / SecOps

yaral

rule ransomware_staging_indicators {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects ransomware pre-deployment staging: shadow copy deletion, remote execution tool staging, and defense impairment consistent with Akira, Black Basta, Play, and LockBit affiliate TTPs"
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Impact, Defense Evasion, Lateral Movement"
    mitre_attack_technique = "T1490, T1562.001, T1021.002"
    reference = "NCSC UK 2025 Threat Report"
    created = "2026-04-24"
    threat_actors = "Akira, Black Basta, Play, LockBit, Medusa"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.hostname = $hostname
    $proc.principal.user.userid = $user
    (
      // Shadow copy deletion - CRITICAL (T1490)
      (
        re.regex($proc.target.process.file.full_path, `(?i)vssadmin[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)(delete|resize|shadowstorage)`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)wmic[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)shadowcopy`) and
        re.regex($proc.target.process.command_line, `(?i)delete`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)bcdedit[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)(recoveryenabled|bootstatuspolicy|ignoreallfailures)`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)powershell[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)(Delete-ShadowCopy|Win32_ShadowCopy|vssadmin.*delete)`)
      ) or
      // Remote execution tool staging - HIGH (T1021.002)
      re.regex($proc.target.process.file.full_path, `(?i)(psexec|psexec64|paexec|remcom)[.]exe`) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)wmic[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)/node:`) and
        re.regex($proc.target.process.command_line, `(?i)process call create`)
      ) or
      // Defense impairment - HIGH (T1562.001)
      (
        re.regex($proc.target.process.file.full_path, `(?i)sc[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)(stop|delete|config)`) and
        re.regex($proc.target.process.command_line, `(?i)(WinDefend|Sense|MpsSvc|SentinelAgent|CSFalconService|WdFilter|WdNisSvc|SecurityHealthService)`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)taskkill[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)(msmpeng|mssense|csagent|sentinelagent|cbdaemon|mbam)`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)reg[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)(DisableAntiSpyware|DisableRealtimeMonitoring)`) and
        re.regex($proc.target.process.command_line, `(?i)(WinDefend|Windows.Defender|Defender)`)
      )
    )

  condition:
    $proc
}

critical severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) — PROCESS_LAUNCH events Windows Event Logs ingested via Chronicle Forwarder Endpoint telemetry via Chronicle-integrated EDR (CrowdStrike, SentinelOne, Carbon Black)

Required Tables

UDM events (metadata.event_type = PROCESS_LAUNCH)

False Positives

Enterprise backup platforms (Veeam, Commvault, Veritas NetBackup) that issue vssadmin delete commands to manage VSS shadow storage quota during backup job finalization on backup proxy hosts
Authorized PsExec or PAExec usage by IT operations teams for remote software deployment, OS patch distribution, or incident response tasks across managed endpoints during approved maintenance windows
Security platform onboarding or replacement projects where operations engineers use sc.exe to stop and disable incumbent AV or EDR services before deploying the new endpoint agent

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)(vssadmin|wmic|bcdedit|powershell|psexec|psexec64|paexec|remcom|sc|taskkill|reg)[.]exe/
| case {
    FileName = /(?i)vssadmin[.]exe/ AND CommandLine = /(?i)(delete|resize|shadowstorage)/
      | StagingIndicator := "ShadowCopyDeletion_CRITICAL"
      | RiskScore := 100 ;
    FileName = /(?i)wmic[.]exe/ AND CommandLine = /(?i)shadowcopy/ AND CommandLine = /(?i)delete/
      | StagingIndicator := "ShadowCopyDeletion_CRITICAL"
      | RiskScore := 100 ;
    FileName = /(?i)bcdedit[.]exe/ AND CommandLine = /(?i)(recoveryenabled|bootstatuspolicy|ignoreallfailures)/
      | StagingIndicator := "ShadowCopyDeletion_CRITICAL"
      | RiskScore := 100 ;
    FileName = /(?i)powershell[.]exe/ AND CommandLine = /(?i)(Delete-ShadowCopy|Win32_ShadowCopy.*delete|vssadmin.*delete)/
      | StagingIndicator := "ShadowCopyDeletion_CRITICAL"
      | RiskScore := 100 ;
    FileName = /(?i)(psexec|psexec64|paexec|remcom)[.]exe/
      | StagingIndicator := "RemoteExecTool_HIGH"
      | RiskScore := 80 ;
    FileName = /(?i)wmic[.]exe/ AND CommandLine = /(?i)\/node:/ AND CommandLine = /(?i)process call create/
      | StagingIndicator := "RemoteExecTool_HIGH"
      | RiskScore := 80 ;
    FileName = /(?i)sc[.]exe/ AND CommandLine = /(?i)(stop|delete|config)/ AND CommandLine = /(?i)(WinDefend|Sense|MpsSvc|SentinelAgent|CSFalconService|WdFilter|WdNisSvc|SecurityHealthService)/
      | StagingIndicator := "DefenseImpairment_HIGH"
      | RiskScore := 90 ;
    FileName = /(?i)taskkill[.]exe/ AND CommandLine = /(?i)(msmpeng|mssense|csagent|sentinelagent|cbdaemon|mbam)/
      | StagingIndicator := "DefenseImpairment_HIGH"
      | RiskScore := 90 ;
    FileName = /(?i)reg[.]exe/ AND CommandLine = /(?i)(DisableAntiSpyware|DisableRealtimeMonitoring)/ AND CommandLine = /(?i)(WinDefend|Defender)/
      | StagingIndicator := "DefenseImpairment_HIGH"
      | RiskScore := 90 ;
    * | drop()
  }
| groupBy(
    [ComputerName, UserName, StagingIndicator],
    function=[
      count(as=EventCount),
      collect(CommandLine, limit=20),
      collect(FileName, limit=10),
      max(RiskScore, as=MaxRisk)
    ]
  )
| sort(MaxRisk, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Platform CrowdStrike Falcon LogScale (Humio) Falcon ProcessRollup2 event stream (process execution telemetry)

Required Tables

ProcessRollup2

False Positives

Backup administrators invoking vssadmin to delete aged shadow copies as part of scheduled storage quota management or backup retention policy enforcement on backup proxy or media server hosts
IT support staff using PsExec or PAExec for legitimate remote command execution during helpdesk troubleshooting, software deployment, or authorized remediation tasks on managed endpoints
Security platform onboarding workflows that use sc.exe to stop and remove incumbent AV or EDR services (WinDefend, Sense) before installing or upgrading the Falcon sensor or migrating to a new endpoint security platform

Last updated: 2026-04-24 Research depth: deep

References (6)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for THREAT-Ransomware-StagingIndicators including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Ransomware Pre-Deployment Staging Indicators

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Impact

Popular Detections