Detect Ransomware Pre-Deployment Staging Indicators in CrowdStrike LogScale
The hours before ransomware deployment follow a repeatable pattern regardless of group: network share enumeration, credential dumping, detection tool impairment, and staging of the ransomware binary in accessible locations. NCSC UK 2025 threat report identified Akira, Black Basta, and Play as the most active ransomware groups targeting UK SMBs. The staging sequence typically occurs within 1-48 hours before encryption begins, offering a detection opportunity. Key indicators: (1) net use or net share enumeration across the network; (2) vssadmin.exe or wmic delete shadowstorage (shadow copy deletion — the final indicator before encryption); (3) remote execution tool setup (PsExec, PAExec, WMI, WinRM) preparing for domain-wide payload deployment; (4) large file transfers or staging directories created; (5) AV/EDR impairment attempts. This detection targets the staging window before encryption — detection here prevents the actual ransomware event.
MITRE ATT&CK
- Tactic
- Impact Discovery Lateral Movement
LogScale Detection Query
#event_simpleName=ProcessRollup2
| FileName = /(?i)(vssadmin|wmic|bcdedit|powershell|psexec|psexec64|paexec|remcom|sc|taskkill|reg)[.]exe/
| case {
FileName = /(?i)vssadmin[.]exe/ AND CommandLine = /(?i)(delete|resize|shadowstorage)/
| StagingIndicator := "ShadowCopyDeletion_CRITICAL"
| RiskScore := 100 ;
FileName = /(?i)wmic[.]exe/ AND CommandLine = /(?i)shadowcopy/ AND CommandLine = /(?i)delete/
| StagingIndicator := "ShadowCopyDeletion_CRITICAL"
| RiskScore := 100 ;
FileName = /(?i)bcdedit[.]exe/ AND CommandLine = /(?i)(recoveryenabled|bootstatuspolicy|ignoreallfailures)/
| StagingIndicator := "ShadowCopyDeletion_CRITICAL"
| RiskScore := 100 ;
FileName = /(?i)powershell[.]exe/ AND CommandLine = /(?i)(Delete-ShadowCopy|Win32_ShadowCopy.*delete|vssadmin.*delete)/
| StagingIndicator := "ShadowCopyDeletion_CRITICAL"
| RiskScore := 100 ;
FileName = /(?i)(psexec|psexec64|paexec|remcom)[.]exe/
| StagingIndicator := "RemoteExecTool_HIGH"
| RiskScore := 80 ;
FileName = /(?i)wmic[.]exe/ AND CommandLine = /(?i)\/node:/ AND CommandLine = /(?i)process call create/
| StagingIndicator := "RemoteExecTool_HIGH"
| RiskScore := 80 ;
FileName = /(?i)sc[.]exe/ AND CommandLine = /(?i)(stop|delete|config)/ AND CommandLine = /(?i)(WinDefend|Sense|MpsSvc|SentinelAgent|CSFalconService|WdFilter|WdNisSvc|SecurityHealthService)/
| StagingIndicator := "DefenseImpairment_HIGH"
| RiskScore := 90 ;
FileName = /(?i)taskkill[.]exe/ AND CommandLine = /(?i)(msmpeng|mssense|csagent|sentinelagent|cbdaemon|mbam)/
| StagingIndicator := "DefenseImpairment_HIGH"
| RiskScore := 90 ;
FileName = /(?i)reg[.]exe/ AND CommandLine = /(?i)(DisableAntiSpyware|DisableRealtimeMonitoring)/ AND CommandLine = /(?i)(WinDefend|Defender)/
| StagingIndicator := "DefenseImpairment_HIGH"
| RiskScore := 90 ;
* | drop()
}
| groupBy(
[ComputerName, UserName, StagingIndicator],
function=[
count(as=EventCount),
collect(CommandLine, limit=20),
collect(FileName, limit=10),
max(RiskScore, as=MaxRisk)
]
)
| sort(MaxRisk, order=desc)CrowdStrike LogScale query detecting ransomware pre-deployment staging using Falcon ProcessRollup2 events. Matches vssadmin/wmic/bcdedit/PowerShell shadow copy deletion (RiskScore 100), PsExec/PAExec/RemCom remote execution tool staging (RiskScore 80), and sc.exe/taskkill/reg.exe defense impairment targeting Windows Defender and third-party EDR processes (RiskScore 90). The drop() call at the end of the case statement discards unmatched process events, keeping output clean and reducing noise. Groups by host, user, and indicator type with max risk score and collected command lines for analyst triage. Consistent with Akira, Black Basta, Play, and LockBit affiliate staging sequences.
Data Sources
Required Tables
False Positives & Tuning
- Backup administrators invoking vssadmin to delete aged shadow copies as part of scheduled storage quota management or backup retention policy enforcement on backup proxy or media server hosts
- IT support staff using PsExec or PAExec for legitimate remote command execution during helpdesk troubleshooting, software deployment, or authorized remediation tasks on managed endpoints
- Security platform onboarding workflows that use sc.exe to stop and remove incumbent AV or EDR services (WinDefend, Sense) before installing or upgrading the Falcon sensor or migrating to a new endpoint security platform
Other platforms for THREAT-Ransomware-StagingIndicators
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Shadow Copy Deletion via vssadmin (Ransomware Staging Simulation)
Expected signal: Sysmon Event ID 1: vssadmin.exe process creation with 'delete shadows' in command line. Security Event ID 4688 if command line auditing enabled.
- Test 2Windows Defender Disable via PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe with DisableRealtimeMonitoring in command line. Windows Defender event log records protection disabled.
References (6)
- https://www.ncsc.gov.uk/news/uk-organisations-warned-about-ransomware-escalation
- https://www.cisa.gov/stopransomware/akira-ransomware
- https://www.cisa.gov/stopransomware/black-basta
- https://attack.mitre.org/techniques/T1490/
- https://attack.mitre.org/techniques/T1562/001/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
Unlock Pro Content
Get the full detection package for THREAT-Ransomware-StagingIndicators including response playbook, investigation guide, and atomic red team tests.