THREAT-Ransomware-StagingIndicators Microsoft Sentinel · KQL

Detect Ransomware Pre-Deployment Staging Indicators in Microsoft Sentinel

The hours before ransomware deployment follow a repeatable pattern regardless of group: network share enumeration, credential dumping, detection tool impairment, and staging of the ransomware binary in accessible locations. NCSC UK 2025 threat report identified Akira, Black Basta, and Play as the most active ransomware groups targeting UK SMBs. The staging sequence typically occurs within 1-48 hours before encryption begins, offering a detection opportunity. Key indicators: (1) net use or net share enumeration across the network; (2) vssadmin.exe or wmic delete shadowstorage (shadow copy deletion — the final indicator before encryption); (3) remote execution tool setup (PsExec, PAExec, WMI, WinRM) preparing for domain-wide payload deployment; (4) large file transfers or staging directories created; (5) AV/EDR impairment attempts. This detection targets the staging window before encryption — detection here prevents the actual ransomware event.

MITRE ATT&CK

Tactic
Impact Discovery Lateral Movement

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// THREAT: Ransomware Pre-Deployment Staging Indicators
// Detects the staging sequence used by Akira, Black Basta, LockBit, Play
// before mass ransomware deployment across the domain

// Indicator 1: Shadow copy deletion (T1490 — immediate escalation)
let ShadowDelete = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "vssadmin.exe" and ProcessCommandLine has_any ("delete", "resize", "shadowstorage"))
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("shadowcopy", "delete", "shadow"))
    or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Delete-ShadowCopy", "Win32_ShadowCopy", "vssadmin"))
    or (FileName =~ "bcdedit.exe" and ProcessCommandLine has_any ("recoveryenabled", "no", "bootstatuspolicy", "ignoreallfailures"))
  )
| extend StageIndicator = "ShadowCopyDeletion"
| extend StagingRisk = 100;
// Indicator 2: Network share enumeration (mass reconnaissance)
let ShareEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "net.exe" and ProcessCommandLine has_any ("view", "share", "use"))
    or (FileName =~ "net1.exe" and ProcessCommandLine has_any ("view", "share"))
    or (FileName =~ "netscan.exe")
    or (FileName =~ "AdFind.exe")
    or (FileName =~ "nltest.exe" and ProcessCommandLine has_any ("dclist", "domain_trusts", "server", "all_trusts"))
  )
| summarize EnumCount=count() by DeviceName, AccountName, bin(Timestamp, 15m)
| where EnumCount >= 5
| extend StageIndicator = "NetworkShareEnumeration"
| extend StagingRisk = 70;
// Indicator 3: Remote execution tools for mass deployment
let RemoteExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe")
    or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:" and ProcessCommandLine has "process call create")
    or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Invoke-WMIMethod", "Invoke-Command", "New-PSSession")
        and ProcessCommandLine has_any ("-ComputerName", "-cn") and DeviceName != AccountDomain)
| extend StageIndicator = "RemoteExecutionToolUsed"
| extend StagingRisk = 80;
// Indicator 4: AV/EDR impairment (T1562.001)
let DefenseImpair = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "sc.exe" and ProcessCommandLine has_any ("stop", "delete", "config") and
     ProcessCommandLine has_any ("WinDefend", "Sense", "MpsSvc", "wscsvc", "WdFilter", "WdNisSvc",
        "SecurityHealthService", "SentinelAgent", "CSFalconService"))
    or (FileName =~ "taskkill.exe" and ProcessCommandLine has_any (
        "msmpeng", "mssense", "csagent", "sentinelagent", "cbdaemon", "mbam"))
    or (FileName =~ "reg.exe" and ProcessCommandLine has_any ("add", "delete") and
     ProcessCommandLine has_any ("WinDefend", "DisableAntiSpyware", "DisableRealtimeMonitoring",
        "SOFTWARE\\Policies\\Microsoft\\Windows Defender"))
  )
| extend StageIndicator = "DefenseImpairmentAttempt"
| extend StagingRisk = 90;
union ShadowDelete, RemoteExec, DefenseImpair
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, StageIndicator, StagingRisk
| sort by StagingRisk desc, Timestamp desc
critical severity high confidence

Multi-indicator ransomware staging detection targeting the 1-48 hour pre-encryption window. Detects four key staging activities: shadow copy deletion (immediate escalation — encryption is imminent), network share enumeration (reconnaissance for deployment targets), remote execution tool setup (PsExec, WMI remoting for mass deployment), and AV/EDR impairment. StagingRisk score (70-100) indicates proximity to active ransomware deployment.

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents)SysmonWindows Security Event Log

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate IT backup tools (Veeam, Acronis, Backup Exec) that use vssadmin to manage shadow copies
  • System administrators using net view/net share for legitimate inventory
  • PsExec used by IT staff for remote administration or software deployment during maintenance windows
  • Endpoint management platforms (SCCM, Qualys, Tanium) that invoke WMI remote execution for patch deployment
  • Security testing by authorised penetration testers (shadow copy deletion should be excluded from scope)
Download portable Sigma rule (.yml)

Other platforms for THREAT-Ransomware-StagingIndicators

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Shadow Copy Deletion via vssadmin (Ransomware Staging Simulation)

    Expected signal: Sysmon Event ID 1: vssadmin.exe process creation with 'delete shadows' in command line. Security Event ID 4688 if command line auditing enabled.

  2. Test 2Windows Defender Disable via PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe with DisableRealtimeMonitoring in command line. Windows Defender event log records protection disabled.

Last updated: 2026-04-24 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for THREAT-Ransomware-StagingIndicators including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1486Data Encrypted for Impact

Related Techniques

T1486Data Encrypted for ImpactT1490Inhibit System RecoveryT1562.001Disable or Modify ToolsT1570Lateral Tool TransferT1021.002SMB/Windows Admin SharesT1047Windows Management Instrumentation

Same Tactic: Impact

Popular Detections