Backup deletion

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This query identifies use of wmic.exe to delete shadow copy snapshots prior to encryption.

Attribute Value
Type Hunting Query
Solution GitHub Only
ID fc2c12c1-ee93-45c2-9a1f-f8a143ec3eb1
Tactics Ransomware
Required Connectors MicrosoftThreatProtection
Source [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/Microsoft%20365%20Defender/Ransomware/Backup%20deletion.yaml)

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Hunting Queries