THREAT-Ransomware-StagingIndicators IBM QRadar · QRadar

Detect Ransomware Pre-Deployment Staging Indicators in IBM QRadar

The hours before ransomware deployment follow a repeatable pattern regardless of group: network share enumeration, credential dumping, detection tool impairment, and staging of the ransomware binary in accessible locations. NCSC UK 2025 threat report identified Akira, Black Basta, and Play as the most active ransomware groups targeting UK SMBs. The staging sequence typically occurs within 1-48 hours before encryption begins, offering a detection opportunity. Key indicators: (1) net use or net share enumeration across the network; (2) vssadmin.exe or wmic delete shadowstorage (shadow copy deletion — the final indicator before encryption); (3) remote execution tool setup (PsExec, PAExec, WMI, WinRM) preparing for domain-wide payload deployment; (4) large file transfers or staging directories created; (5) AV/EDR impairment attempts. This detection targets the staging window before encryption — detection here prevents the actual ransomware event.

MITRE ATT&CK

Tactic
Impact Discovery Lateral Movement

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  devicename AS ComputerName,
  username AS Username,
  QIDNAME(qid) AS EventName,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CASE
    WHEN (
      (UTF8(payload) ILIKE '%vssadmin%' AND (UTF8(payload) ILIKE '%delete%' OR UTF8(payload) ILIKE '%shadowstorage%'))
      OR (UTF8(payload) ILIKE '%wmic%' AND UTF8(payload) ILIKE '%shadowcopy%' AND UTF8(payload) ILIKE '%delete%')
      OR (UTF8(payload) ILIKE '%bcdedit%' AND (UTF8(payload) ILIKE '%recoveryenabled%' OR UTF8(payload) ILIKE '%bootstatuspolicy%'))
      OR (UTF8(payload) ILIKE '%powershell%' AND (UTF8(payload) ILIKE '%Delete-ShadowCopy%' OR UTF8(payload) ILIKE '%Win32_ShadowCopy%delete%'))
    ) THEN 'ShadowCopyDeletion_CRITICAL'
    WHEN (
      UTF8(payload) ILIKE '%psexec.exe%' OR UTF8(payload) ILIKE '%psexec64.exe%'
      OR UTF8(payload) ILIKE '%paexec.exe%' OR UTF8(payload) ILIKE '%remcom.exe%'
      OR (UTF8(payload) ILIKE '%wmic%' AND UTF8(payload) ILIKE '%/node:%' AND UTF8(payload) ILIKE '%process call create%')
    ) THEN 'RemoteExecTool_HIGH'
    WHEN (
      (UTF8(payload) ILIKE '%\sc.exe%' OR UTF8(payload) ILIKE '% sc %')
      AND (UTF8(payload) ILIKE '%stop%' OR UTF8(payload) ILIKE '%delete%' OR UTF8(payload) ILIKE '%config%')
      AND (UTF8(payload) ILIKE '%WinDefend%' OR UTF8(payload) ILIKE '%SentinelAgent%'
           OR UTF8(payload) ILIKE '%CSFalconService%' OR UTF8(payload) ILIKE '%MpsSvc%'
           OR UTF8(payload) ILIKE '%WdFilter%' OR UTF8(payload) ILIKE '%WdNisSvc%')
    ) THEN 'DefenseImpairment_HIGH'
    WHEN (
      UTF8(payload) ILIKE '%taskkill%'
      AND (UTF8(payload) ILIKE '%msmpeng%' OR UTF8(payload) ILIKE '%mssense%'
           OR UTF8(payload) ILIKE '%csagent%' OR UTF8(payload) ILIKE '%sentinelagent%'
           OR UTF8(payload) ILIKE '%cbdaemon%' OR UTF8(payload) ILIKE '%mbam%')
    ) THEN 'DefenseImpairment_HIGH'
    ELSE 'Unknown'
  END AS StagingIndicator,
  CASE
    WHEN (UTF8(payload) ILIKE '%vssadmin%delete%' OR UTF8(payload) ILIKE '%bcdedit%recoveryenabled%'
          OR UTF8(payload) ILIKE '%wmic%shadowcopy%delete%') THEN 100
    WHEN (UTF8(payload) ILIKE '%sc.exe%stop%WinDefend%' OR UTF8(payload) ILIKE '%taskkill%msmpeng%'
          OR UTF8(payload) ILIKE '%taskkill%sentinelagent%') THEN 90
    WHEN (UTF8(payload) ILIKE '%psexec%' OR UTF8(payload) ILIKE '%paexec%' OR UTF8(payload) ILIKE '%remcom%') THEN 80
    ELSE 60
  END AS RiskScore,
  UTF8(payload) AS RawEvent
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 232, 261)
  AND (
    (UTF8(payload) ILIKE '%vssadmin%' AND (UTF8(payload) ILIKE '%delete%' OR UTF8(payload) ILIKE '%shadowstorage%'))
    OR (UTF8(payload) ILIKE '%wmic%' AND UTF8(payload) ILIKE '%shadowcopy%' AND UTF8(payload) ILIKE '%delete%')
    OR (UTF8(payload) ILIKE '%bcdedit%' AND (UTF8(payload) ILIKE '%recoveryenabled%' OR UTF8(payload) ILIKE '%bootstatuspolicy%'))
    OR (UTF8(payload) ILIKE '%powershell%' AND (UTF8(payload) ILIKE '%Delete-ShadowCopy%' OR UTF8(payload) ILIKE '%Win32_ShadowCopy%'))
    OR UTF8(payload) ILIKE '%psexec.exe%'
    OR UTF8(payload) ILIKE '%paexec.exe%'
    OR UTF8(payload) ILIKE '%remcom.exe%'
    OR (
      (UTF8(payload) ILIKE '%\sc.exe%' OR UTF8(payload) ILIKE '%sc.exe%')
      AND (UTF8(payload) ILIKE '%stop%' OR UTF8(payload) ILIKE '%delete%')
      AND (UTF8(payload) ILIKE '%WinDefend%' OR UTF8(payload) ILIKE '%SentinelAgent%' OR UTF8(payload) ILIKE '%CSFalconService%')
    )
    OR (
      UTF8(payload) ILIKE '%taskkill%'
      AND (UTF8(payload) ILIKE '%msmpeng%' OR UTF8(payload) ILIKE '%mssense%'
           OR UTF8(payload) ILIKE '%csagent%' OR UTF8(payload) ILIKE '%sentinelagent%')
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY RiskScore DESC, starttime DESC
LIMIT 500
critical severity high confidence

Detects ransomware pre-deployment staging in QRadar AQL by querying Windows Security Event Log (EID 4688) and Microsoft Sysmon (EID 1) process creation events via payload string matching. Risk-scored CASE logic categorises matches into ShadowCopyDeletion_CRITICAL (RiskScore 100), DefenseImpairment_HIGH (90), and RemoteExecTool_HIGH (80) to enable SOC triage by severity tier. LOGSOURCETYPEID 12 = Windows Security, 232 = Sysmon, 261 = Windows System. Searches last 24 hours.

Data Sources

IBM QRadar SIEMWindows Security Event Log (EID 4688 — Process Create)Microsoft Sysmon Event Log (EID 1 — Process Create)QRadar DSM for Microsoft Windows

Required Tables

events

False Positives & Tuning

  • Backup software agents (Veeam, Commvault, Windows Server Backup) that invoke vssadmin to delete aged shadow copies during scheduled backup retention enforcement on backup servers
  • Authorized remote administration via PsExec or PAExec by helpdesk and sysadmin teams during maintenance windows, software rollouts, or post-incident remediation tasks across managed endpoints
  • Endpoint security platform migrations where operations engineers use sc.exe to stop and remove incumbent AV or EDR services before deploying a replacement — common during quarterly tooling refresh cycles
Download portable Sigma rule (.yml)

Other platforms for THREAT-Ransomware-StagingIndicators

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Shadow Copy Deletion via vssadmin (Ransomware Staging Simulation)

    Expected signal: Sysmon Event ID 1: vssadmin.exe process creation with 'delete shadows' in command line. Security Event ID 4688 if command line auditing enabled.

  2. Test 2Windows Defender Disable via PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe with DisableRealtimeMonitoring in command line. Windows Defender event log records protection disabled.

Last updated: 2026-04-24 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for THREAT-Ransomware-StagingIndicators including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1486Data Encrypted for Impact

Related Techniques

T1486Data Encrypted for ImpactT1490Inhibit System RecoveryT1562.001Disable or Modify ToolsT1570Lateral Tool TransferT1021.002SMB/Windows Admin SharesT1047Windows Management Instrumentation

Same Tactic: Impact

Popular Detections