EXPLORE
← Back to Explore
crowdstrike_cqlTTP

Ransomware Precursors

Detects command patterns that ransomware operators execute immediately before encryption to prevent recovery: Volume Shadow Copy deletion (vssadmin, WMIC, PowerShell WMI/CIM), backup catalog destruction (wbadmin), Windows Recovery Environment tampering (bcdedit), USN journal deletion (fsutil), and mass shadow storage resizing. Each event is classified into a named hypothesis so analysts can triage by technique. These commands are rare in legitimate day-to-day operation and their appearance - especially several within a short window on the same host - is one of the strongest early-warning signals of an imminent ransomware detonation. ## Why this matters Before deploying an encryptor, virtually every major ransomware family (LockBit, BlackCat/ALPHV, Akira, Conti descendants, Ryuk, and others) runs a near-identical "recovery inhibition" playbook so victims cannot restore from local snapshots or backups. Because these commands are executed **minutes before encryption begins**, detecting them provides one of the last actionable intervention windows in a ransomware intrusion. ## Detection hypotheses | Hypothesis | Command pattern | Notes | | :--- | :--- | :--- | | H1 | `vssadmin delete shadows /all /quiet` | The single most common ransomware precursor | | H2 | `vssadmin resize shadowstorage /maxsize=401MB` | Forces Windows to silently purge shadow copies; used to evade "delete shadows" detections | | H3 | `wmic shadowcopy delete` | WMIC-based variant | | H4 | PowerShell `Win32_ShadowCopy` / `Get-CimInstance ... \| Remove` | Script-based variant | | H5 | `wbadmin delete catalog -quiet` | Destroys the Windows Backup catalog | | H6 | `bcdedit /set {default} recoveryenabled no` + `bootstatuspolicy ignoreallfailures` | Prevents booting into WinRE for repair/restore | | H7 | `fsutil usn deletejournal /D C:` | Anti-forensics; wipes the NTFS change journal | ## Triage guidance - **`Priority = CRITICAL`** (2+ distinct techniques on one host): treat as active ransomware staging. Network-contain the host immediately and pivot on `ParentBaseFileName` and sibling processes. - **Single H1/H3/H5/H6 events**: still high-signal. Legitimate occurrences are rare and usually tied to storage administration or imaging/backup software - check the parent process and the executing user. - **Known false-positive sources**: backup agents (Veeam, Commvault), disk-cloning tools, and some VDI provisioning workflows may resize shadow storage (H2) or manage snapshots. Baseline these and add an exclusion on `ParentBaseFileName` or `UserName` rather than removing the hypothesis.

MITRE ATT&CK

impactdefense-evasion

Detection Query

#event_simpleName=ProcessRollup2 event_platform=Win
// Optional scoping for testing on a single host
| ComputerName=?ComputerName
// Normalise the command line once for all subsequent matching
| CmdLower := lower("CommandLine")
// --- Recovery-inhibition classification ---------------------------------
| case {
    // Shadow copy deletion via vssadmin
    ImageFileName=/\\vssadmin\.exe$/i
      AND CmdLower=/delete\s+shadows/
      | Hypothesis := "H1_VSSADMIN_SHADOW_DELETE" | Confidence := "High";

    // Shadow storage resize to force silent shadow deletion (401 KB trick)
    ImageFileName=/\\vssadmin\.exe$/i
      AND CmdLower=/resize\s+shadowstorage/
      | Hypothesis := "H2_VSSADMIN_SHADOWSTORAGE_RESIZE" | Confidence := "Medium";

    // Shadow copy deletion via WMIC
    ImageFileName=/\\wmic\.exe$/i
      AND CmdLower=/shadowcopy/ AND CmdLower=/delete/
      | Hypothesis := "H3_WMIC_SHADOW_DELETE" | Confidence := "High";

    // Shadow copy deletion via PowerShell WMI/CIM
    ImageFileName=/\\(powershell|powershell_ise|pwsh)\.exe$/i
      AND CmdLower=/win32_shadowcopy|get-wmiobject.{0,40}shadowcopy|get-ciminstance.{0,40}shadowcopy/
      AND CmdLower=/delete|remove/
      | Hypothesis := "H4_POWERSHELL_SHADOW_DELETE" | Confidence := "High";

    // Backup catalog / system state backup destruction
    ImageFileName=/\\wbadmin\.exe$/i
      AND CmdLower=/delete\s+(catalog|systemstatebackup|backup)/
      | Hypothesis := "H5_WBADMIN_BACKUP_DELETE" | Confidence := "High";

    // Disable Windows Recovery Environment / automatic repair
    ImageFileName=/\\bcdedit\.exe$/i
      AND CmdLower=/recoveryenabled\s+(no|off)|bootstatuspolicy\s+ignoreallfailures/
      | Hypothesis := "H6_BCDEDIT_RECOVERY_TAMPER" | Confidence := "High";

    // USN change journal deletion (anti-forensics, common in ransomware playbooks)
    ImageFileName=/\\fsutil\.exe$/i
      AND CmdLower=/usn\s+deletejournal/
      | Hypothesis := "H7_FSUTIL_USN_DELETE" | Confidence := "Medium";

    * | Hypothesis := "NO_MATCH";
}
| Hypothesis != "NO_MATCH"
// --- Output --------------------------------------------------------------
| groupBy([aid, ComputerName], function=[
    count(as=PrecursorEvents),
    count(Hypothesis, distinct=true, as=DistinctTechniques),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen),
    collect([Hypothesis, Confidence, UserName, ImageFileName, CommandLine, ParentBaseFileName])
  ], limit=10000)
// Multiple distinct recovery-inhibition techniques on one host is near-certain ransomware staging
| case {
    DistinctTechniques >= 2 | Priority := "CRITICAL - multiple recovery-inhibition techniques";
    PrecursorEvents >= 3    | Priority := "HIGH - repeated recovery-inhibition activity";
    *                       | Priority := "MEDIUM - single event, validate context";
}
| FirstSeen := formatTime("%F %T %Z", field=FirstSeen)
| LastSeen := formatTime("%F %T %Z", field=LastSeen)
| sort(DistinctTechniques, order=desc)

Author

ByteRay GmbH

Data Sources

Endpoint

Platforms

windows

Tags

Detectioncs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Ransomware Precursors

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1490
  - T1070.004

# Description of what the query does and its purpose.
description: |
  Detects command patterns that ransomware operators execute immediately before encryption to prevent recovery: Volume Shadow Copy deletion (vssadmin, WMIC, PowerShell WMI/CIM), backup catalog destruction (wbadmin), Windows Recovery Environment tampering (bcdedit), USN journal deletion (fsutil), and mass shadow storage resizing. Each event is classified into a named hypothesis so analysts can triage by technique. These commands are rare in legitimate day-to-day operation and their appearance - especially several within a short window on the same host - is one of the strongest early-warning signals of an imminent ransomware detonation.

# The author or team that created the query.
author: ByteRay GmbH

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
tags:
  - Detection

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #event_simpleName=ProcessRollup2 event_platform=Win
  // Optional scoping for testing on a single host
  | ComputerName=?ComputerName
  // Normalise the command line once for all subsequent matching
  | CmdLower := lower("CommandLine")
  // --- Recovery-inhibition classification ---------------------------------
  | case {
      // Shadow copy deletion via vssadmin
      ImageFileName=/\\vssadmin\.exe$/i
        AND CmdLower=/delete\s+shadows/
        | Hypothesis := "H1_VSSADMIN_SHADOW_DELETE" | Confidence := "High";
  
      // Shadow storage resize to force silent shadow deletion (401 KB trick)
      ImageFileName=/\\vssadmin\.exe$/i
        AND CmdLower=/resize\s+shadowstorage/
        | Hypothesis := "H2_VSSADMIN_SHADOWSTORAGE_RESIZE" | Confidence := "Medium";
  
      // Shadow copy deletion via WMIC
      ImageFileName=/\\wmic\.exe$/i
        AND CmdLower=/shadowcopy/ AND CmdLower=/delete/
        | Hypothesis := "H3_WMIC_SHADOW_DELETE" | Confidence := "High";
  
      // Shadow copy deletion via PowerShell WMI/CIM
      ImageFileName=/\\(powershell|powershell_ise|pwsh)\.exe$/i
        AND CmdLower=/win32_shadowcopy|get-wmiobject.{0,40}shadowcopy|get-ciminstance.{0,40}shadowcopy/
        AND CmdLower=/delete|remove/
        | Hypothesis := "H4_POWERSHELL_SHADOW_DELETE" | Confidence := "High";
  
      // Backup catalog / system state backup destruction
      ImageFileName=/\\wbadmin\.exe$/i
        AND CmdLower=/delete\s+(catalog|systemstatebackup|backup)/
        | Hypothesis := "H5_WBADMIN_BACKUP_DELETE" | Confidence := "High";
  
      // Disable Windows Recovery Environment / automatic repair
      ImageFileName=/\\bcdedit\.exe$/i
        AND CmdLower=/recoveryenabled\s+(no|off)|bootstatuspolicy\s+ignoreallfailures/
        | Hypothesis := "H6_BCDEDIT_RECOVERY_TAMPER" | Confidence := "High";
  
      // USN change journal deletion (anti-forensics, common in ransomware playbooks)
      ImageFileName=/\\fsutil\.exe$/i
        AND CmdLower=/usn\s+deletejournal/
        | Hypothesis := "H7_FSUTIL_USN_DELETE" | Confidence := "Medium";
  
      * | Hypothesis := "NO_MATCH";
  }
  | Hypothesis != "NO_MATCH"
  // --- Output --------------------------------------------------------------
  | groupBy([aid, ComputerName], function=[
      count(as=PrecursorEvents),
      count(Hypothesis, distinct=true, as=DistinctTechniques),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen),
      collect([Hypothesis, Confidence, UserName, ImageFileName, CommandLine, ParentBaseFileName])
    ], limit=10000)
  // Multiple distinct recovery-inhibition techniques on one host is near-certain ransomware staging
  | case {
      DistinctTechniques >= 2 | Priority := "CRITICAL - multiple recovery-inhibition techniques";
      PrecursorEvents >= 3    | Priority := "HIGH - repeated recovery-inhibition activity";
      *                       | Priority := "MEDIUM - single event, validate context";
  }
  | FirstSeen := formatTime("%F %T %Z", field=FirstSeen)
  | LastSeen := formatTime("%F %T %Z", field=LastSeen)
  | sort(DistinctTechniques, order=desc)

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  ## Why this matters
  
  Before deploying an encryptor, virtually every major ransomware family (LockBit, BlackCat/ALPHV, Akira, Conti descendants, Ryuk, and others) runs a near-identical "recovery inhibition" playbook so victims cannot restore from local snapshots or backups. Because these commands are executed **minutes before encryption begins**, detecting them provides one of the last actionable intervention windows in a ransomware intrusion.
  
  ## Detection hypotheses
  
  | Hypothesis | Command pattern | Notes |
  | :--- | :--- | :--- |
  | H1 | `vssadmin delete shadows /all /quiet` | The single most common ransomware precursor |
  | H2 | `vssadmin resize shadowstorage /maxsize=401MB` | Forces Windows to silently purge shadow copies; used to evade "delete shadows" detections |
  | H3 | `wmic shadowcopy delete` | WMIC-based variant |
  | H4 | PowerShell `Win32_ShadowCopy` / `Get-CimInstance ... \| Remove` | Script-based variant |
  | H5 | `wbadmin delete catalog -quiet` | Destroys the Windows Backup catalog |
  | H6 | `bcdedit /set {default} recoveryenabled no` + `bootstatuspolicy ignoreallfailures` | Prevents booting into WinRE for repair/restore |
  | H7 | `fsutil usn deletejournal /D C:` | Anti-forensics; wipes the NTFS change journal |
  
  ## Triage guidance
  
  - **`Priority = CRITICAL`** (2+ distinct techniques on one host): treat as active ransomware staging. Network-contain the host immediately and pivot on `ParentBaseFileName` and sibling processes.
  - **Single H1/H3/H5/H6 events**: still high-signal. Legitimate occurrences are rare and usually tied to storage administration or imaging/backup software - check the parent process and the executing user.
  - **Known false-positive sources**: backup agents (Veeam, Commvault), disk-cloning tools, and some VDI provisioning workflows may resize shadow storage (H2) or manage snapshots. Baseline these and add an exclusion on `ParentBaseFileName` or `UserName` rather than removing the hypothesis.