THREAT-Ransomware-StagingIndicators Sumo Logic CSE · Sumo

Detect Ransomware Pre-Deployment Staging Indicators in Sumo Logic CSE

The hours before ransomware deployment follow a repeatable pattern regardless of group: network share enumeration, credential dumping, detection tool impairment, and staging of the ransomware binary in accessible locations. NCSC UK 2025 threat report identified Akira, Black Basta, and Play as the most active ransomware groups targeting UK SMBs. The staging sequence typically occurs within 1-48 hours before encryption begins, offering a detection opportunity. Key indicators: (1) net use or net share enumeration across the network; (2) vssadmin.exe or wmic delete shadowstorage (shadow copy deletion — the final indicator before encryption); (3) remote execution tool setup (PsExec, PAExec, WMI, WinRM) preparing for domain-wide payload deployment; (4) large file transfers or staging directories created; (5) AV/EDR impairment attempts. This detection targets the staging window before encryption — detection here prevents the actual ransomware event.

MITRE ATT&CK

Tactic
Impact Discovery Lateral Movement

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*/Windows/Sysmon* OR _sourceCategory=*/WinEventLog/Security*)
| where (%"EventID" = "1" or %"EventID" = "4688" or EventID = 1 or EventID = 4688)
| parse field=_raw "Image: *\r" as Image nodrop
| parse field=_raw "CommandLine: *\r" as CommandLine nodrop
| parse field=_raw "Computer: *\r" as Computer nodrop
| parse field=_raw "User: *\r" as User nodrop
| parse field=_raw "NewProcessName: *\r" as NewProcessName nodrop
| parse field=_raw "CommandLine: *\r" as CommandLine2 nodrop
| if (isEmpty(Image), NewProcessName, Image) as ProcImage
| where (
    (ProcImage matches "*vssadmin.exe" and (CommandLine matches "*delete*" or CommandLine matches "*shadowstorage*" or CommandLine matches "*resize*"))
    or (ProcImage matches "*wmic.exe" and CommandLine matches "*shadowcopy*delete*")
    or (ProcImage matches "*bcdedit.exe" and (CommandLine matches "*recoveryenabled*" or CommandLine matches "*bootstatuspolicy*"))
    or (ProcImage matches "*powershell.exe" and (CommandLine matches "*Delete-ShadowCopy*" or CommandLine matches "*Win32_ShadowCopy*delete*"))
    or ProcImage matches "*psexec.exe"
    or ProcImage matches "*psexec64.exe"
    or ProcImage matches "*paexec.exe"
    or ProcImage matches "*remcom.exe"
    or (ProcImage matches "*sc.exe" and (CommandLine matches "*stop*" or CommandLine matches "*delete*" or CommandLine matches "*config*")
        and (CommandLine matches "*WinDefend*" or CommandLine matches "*SentinelAgent*"
             or CommandLine matches "*CSFalconService*" or CommandLine matches "*MpsSvc*"
             or CommandLine matches "*WdFilter*"))
    or (ProcImage matches "*taskkill.exe" and (CommandLine matches "*msmpeng*" or CommandLine matches "*mssense*"
        or CommandLine matches "*csagent*" or CommandLine matches "*sentinelagent*" or CommandLine matches "*cbdaemon*"))
    or (ProcImage matches "*reg.exe" and (CommandLine matches "*DisableAntiSpyware*" or CommandLine matches "*DisableRealtimeMonitoring*")
        and CommandLine matches "*Defender*")
  )
| eval StagingIndicator = if(
    (ProcImage matches "*vssadmin*" or ProcImage matches "*bcdedit*"
     or (ProcImage matches "*wmic*" and CommandLine matches "*shadowcopy*")
     or (ProcImage matches "*powershell*" and CommandLine matches "*ShadowCopy*")),
    "ShadowCopyDeletion_CRITICAL",
    if(ProcImage matches "*psexec*" or ProcImage matches "*paexec*" or ProcImage matches "*remcom*",
    "RemoteExecTool_HIGH",
    if(ProcImage matches "*sc.exe*" or ProcImage matches "*taskkill*" or ProcImage matches "*reg.exe*",
    "DefenseImpairment_HIGH",
    "StagingIndicator_MEDIUM")))
| eval RiskScore = if(StagingIndicator = "ShadowCopyDeletion_CRITICAL", 100,
    if(StagingIndicator = "DefenseImpairment_HIGH", 90,
    if(StagingIndicator = "RemoteExecTool_HIGH", 80, 60)))
| timeslice 30m
| stats
    count as EventCount,
    values(StagingIndicator) as Indicators,
    max(RiskScore) as MaxRisk,
    values(ProcImage) as Binaries,
    values(CommandLine) as Commands
    by _timeslice, Computer, User
| sort by MaxRisk desc
critical severity high confidence

Detects ransomware pre-deployment staging in Sumo Logic by parsing Sysmon EID 1 and Windows Security EID 4688 process creation events. Covers shadow copy deletion (vssadmin/wmic/bcdedit/PowerShell), PsExec/PAExec/RemCom remote execution tool staging, and sc.exe/taskkill/reg.exe defense impairment against Windows Defender and third-party EDR agents. Groups into 30-minute timeslices with risk scoring (MaxRisk=100 for shadow deletion) to support analyst triage. Handles both Sysmon Image field and Security Log NewProcessName field via conditional normalization.

Data Sources

Sumo Logic Cloud SIEMWindows Sysmon (Event ID 1 — Process Create)Windows Security Event Log (Event ID 4688 — Process Create)

Required Tables

_sourceCategory=*/Windows/Sysmon*_sourceCategory=*/WinEventLog/Security*

False Positives & Tuning

  • Scheduled backup jobs that invoke vssadmin to delete aged shadow copies as part of storage quota management or backup retention policy on backup infrastructure (Veeam proxies, DPM servers)
  • Help desk or sysadmin use of PsExec or PAExec for legitimate remote task execution during routine support, software deployment, or authorized post-incident remediation across the domain
  • Planned security tooling migrations where operations teams use sc.exe stop/delete to remove incumbent AV or EDR services before installing a replacement endpoint agent — common during quarterly platform refresh
Download portable Sigma rule (.yml)

Other platforms for THREAT-Ransomware-StagingIndicators

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Shadow Copy Deletion via vssadmin (Ransomware Staging Simulation)

    Expected signal: Sysmon Event ID 1: vssadmin.exe process creation with 'delete shadows' in command line. Security Event ID 4688 if command line auditing enabled.

  2. Test 2Windows Defender Disable via PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe with DisableRealtimeMonitoring in command line. Windows Defender event log records protection disabled.

Last updated: 2026-04-24 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for THREAT-Ransomware-StagingIndicators including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1486Data Encrypted for Impact

Related Techniques

T1486Data Encrypted for ImpactT1490Inhibit System RecoveryT1562.001Disable or Modify ToolsT1570Lateral Tool TransferT1021.002SMB/Windows Admin SharesT1047Windows Management Instrumentation

Same Tactic: Impact

Popular Detections