THREAT-Ransomware-StagingIndicators Google Chronicle · YARA-L

Detect Ransomware Pre-Deployment Staging Indicators in Google Chronicle

The hours before ransomware deployment follow a repeatable pattern regardless of group: network share enumeration, credential dumping, detection tool impairment, and staging of the ransomware binary in accessible locations. NCSC UK 2025 threat report identified Akira, Black Basta, and Play as the most active ransomware groups targeting UK SMBs. The staging sequence typically occurs within 1-48 hours before encryption begins, offering a detection opportunity. Key indicators: (1) net use or net share enumeration across the network; (2) vssadmin.exe or wmic delete shadowstorage (shadow copy deletion — the final indicator before encryption); (3) remote execution tool setup (PsExec, PAExec, WMI, WinRM) preparing for domain-wide payload deployment; (4) large file transfers or staging directories created; (5) AV/EDR impairment attempts. This detection targets the staging window before encryption — detection here prevents the actual ransomware event.

MITRE ATT&CK

Tactic
Impact Discovery Lateral Movement

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule ransomware_staging_indicators {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects ransomware pre-deployment staging: shadow copy deletion, remote execution tool staging, and defense impairment consistent with Akira, Black Basta, Play, and LockBit affiliate TTPs"
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Impact, Defense Evasion, Lateral Movement"
    mitre_attack_technique = "T1490, T1562.001, T1021.002"
    reference = "NCSC UK 2025 Threat Report"
    created = "2026-04-24"
    threat_actors = "Akira, Black Basta, Play, LockBit, Medusa"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.hostname = $hostname
    $proc.principal.user.userid = $user
    (
      // Shadow copy deletion - CRITICAL (T1490)
      (
        re.regex($proc.target.process.file.full_path, `(?i)vssadmin[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)(delete|resize|shadowstorage)`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)wmic[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)shadowcopy`) and
        re.regex($proc.target.process.command_line, `(?i)delete`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)bcdedit[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)(recoveryenabled|bootstatuspolicy|ignoreallfailures)`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)powershell[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)(Delete-ShadowCopy|Win32_ShadowCopy|vssadmin.*delete)`)
      ) or
      // Remote execution tool staging - HIGH (T1021.002)
      re.regex($proc.target.process.file.full_path, `(?i)(psexec|psexec64|paexec|remcom)[.]exe`) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)wmic[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)/node:`) and
        re.regex($proc.target.process.command_line, `(?i)process call create`)
      ) or
      // Defense impairment - HIGH (T1562.001)
      (
        re.regex($proc.target.process.file.full_path, `(?i)sc[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)(stop|delete|config)`) and
        re.regex($proc.target.process.command_line, `(?i)(WinDefend|Sense|MpsSvc|SentinelAgent|CSFalconService|WdFilter|WdNisSvc|SecurityHealthService)`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)taskkill[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)(msmpeng|mssense|csagent|sentinelagent|cbdaemon|mbam)`)
      ) or
      (
        re.regex($proc.target.process.file.full_path, `(?i)reg[.]exe`) and
        re.regex($proc.target.process.command_line, `(?i)(DisableAntiSpyware|DisableRealtimeMonitoring)`) and
        re.regex($proc.target.process.command_line, `(?i)(WinDefend|Windows.Defender|Defender)`)
      )
    )

  condition:
    $proc
}
critical severity high confidence

Chronicle YARA-L 2.0 rule detecting ransomware pre-deployment staging across four behavioral signals using UDM PROCESS_LAUNCH events. Fires on any single match — shadow copy destruction via vssadmin/wmic/bcdedit/PowerShell (T1490), PsExec/PAExec/RemCom remote execution tool presence (T1021.002), and sc.exe/taskkill/reg.exe defense impairment targeting Windows Defender and third-party EDR agents (T1562.001). Single-event detection design ensures immediate alerting on the highest-fidelity indicators (shadow deletion) without requiring multi-event correlation. Correlate $proc.principal.hostname across multiple alerts within a 30-minute window to identify full staging sequences.

Data Sources

Google Chronicle SIEMChronicle Unified Data Model (UDM) — PROCESS_LAUNCH eventsWindows Event Logs ingested via Chronicle ForwarderEndpoint telemetry via Chronicle-integrated EDR (CrowdStrike, SentinelOne, Carbon Black)

Required Tables

UDM events (metadata.event_type = PROCESS_LAUNCH)

False Positives & Tuning

  • Enterprise backup platforms (Veeam, Commvault, Veritas NetBackup) that issue vssadmin delete commands to manage VSS shadow storage quota during backup job finalization on backup proxy hosts
  • Authorized PsExec or PAExec usage by IT operations teams for remote software deployment, OS patch distribution, or incident response tasks across managed endpoints during approved maintenance windows
  • Security platform onboarding or replacement projects where operations engineers use sc.exe to stop and disable incumbent AV or EDR services before deploying the new endpoint agent
Download portable Sigma rule (.yml)

Other platforms for THREAT-Ransomware-StagingIndicators

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Shadow Copy Deletion via vssadmin (Ransomware Staging Simulation)

    Expected signal: Sysmon Event ID 1: vssadmin.exe process creation with 'delete shadows' in command line. Security Event ID 4688 if command line auditing enabled.

  2. Test 2Windows Defender Disable via PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe with DisableRealtimeMonitoring in command line. Windows Defender event log records protection disabled.

Last updated: 2026-04-24 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for THREAT-Ransomware-StagingIndicators including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1486Data Encrypted for Impact

Related Techniques

T1486Data Encrypted for ImpactT1490Inhibit System RecoveryT1562.001Disable or Modify ToolsT1570Lateral Tool TransferT1021.002SMB/Windows Admin SharesT1047Windows Management Instrumentation

Same Tactic: Impact

Popular Detections