Detecting Ransomware Precursors

The business model for Ransomware has evolved to include multi-level and multi-stage services and tool kits. Initial access is often accomplished by 1st stage compromise, followed by 2nd stage download/drop of tools like Emotet, Trickbot, and Qakbot. This 2nd stage allows adversaries to lurk in your network, profiling normal use and/or searching for targets of maximum impact. At this point the attack often looks like any other infiltration. However, several techniques are often observed just prior to ransomware execution. In this post I’ll provide examples of these detectable behaviors which you can use to build SIEM alerts, custom EDR prevention/response rules, and threat hunting logic. Detecting these patterns (in near real time) will give you an advantage in understanding what kind of threat you are facing and which devices have been impacted when the inevitable emergency phone calls start coming in.

Caveat 1: Alerting on this activity is a LAST line of defense. Truthfully, if you catch a real bad guy with these, you’re likely going to have a terrible couple of weeks. If you don’t already have a robust set of other detection rules for the 1st and 2nd stages, PLEASE don’t start here. This is the last chance to alert and will most likely be only of forensic value, since these often occur minutes before ransomware is deployed. If you’re lucky, you’ll have a chance to identify and isolate the impacted devices before the attack spreads further.

Caveat 2: The commands below assume two things:
1. you are monitoring process execution and associated command lines,
2. the commands are in plain text and not encoded via PowerShell or otherwise obscured (e.g. passed via API). If they are, and you have a robust EDR Solution, or script block logging enabled, you may still be able to see the decoded/hidden commands. Note, some of these techniques are detectable via other means (e.g. registry monitoring) and where that is the case I’ve mentioned it in the “notes” column below. Always test your rules with adversary emulation techniques!

Goal 1: Profile and Disable Protections
These actions aim to evade/disable prevention/detection tools. This could be disabling AntiVirus processes or making changes to system settings.

SubGoalNotional Search LogicExamplesNotes
Recon for security tools via WMIselect * AntivirusProduct


select * AntispywareProduct


select * FirewallProduct
wmic select * antivirus
wmic select * antispyware
‘*’ in these commands is literal. In every other example which follows, it is NOT literal.

wmic.exe is commonly used, but a few alternative processes are worth including:
srccons.exe | cmd.exe |
winrm.exe | winrs.exe |
wmiprvse.exe | cscript.exe|
wscript.exe | powershell.exe.
Disable security tools via service stop/delete/confignet stop *


sc stop *


sc delete *


sc config * disabled

Examples for MS Firewall service, MS Defender, and Windows Update Service:

sc config MpsSvc start= disabled
sc config WinDefend start= disabled
sc config wuauserv start= disabled

net stop MpsSvc
net stop WinDefend
net stop wuauserv

sc stop MpsSvc
sc stop WinDefend
sc stop wuauserv

sc delete MpsSvc
sc delete WinDefend
sc delete wuauserv

Design your search logic with your own relevant tools and processes unique to your environment.

Additional Detections:
7036 – Service started or stopped
7040 – Start type changed (Boot | On Request | Disabled)
Disable windows firewall via netshnetsh firewall set opmode mode=disable


netsh Advfirewall set allprofiles state off
cmd /c netsh firewall set opmode mode=disable
cmd /c netsh Advfirewall set allprofiles state off
Disabling firewalls may assists with lateral movement and C2.
Disable or misconfigure Defender AV via powershellpowershell Set-MpPreference -Disable*


powershell Add-MpPreference -Exclusion*
powershell Set-MpPreference -DisableRealtimeMonitoring $true

powershell Set-MpPreference -DisableBehaviorMonitoring $true

powershell Set-MpPreference -DisableRealtimeMonitoring $true

powershell Add-MpPreference -ExclusionPath C:

Add-MpPreference -ExclusionExtension “.exe”
These commands disable elements of MS Defender or set exclusion parameters to evade detection.

Microsoft-Windows-Windows Defender/Operational.evtx

– Event ID 5001 may be monitored to detect Defender AV Real-Time being disabled.

– Event ID 5007 may be monitored to detect Defender configuration changes.

Monitoring this registry key will also help with detection:
Stop Services with WMICwmic service where * call stopservicewmic service where “caption like ‘%%sense%%'” call stopserviceThe example command is aimed at disabling the Windows Defender Advanced Threat Protection (EDR) service.
Relax filesystem ACLsicacls* *grant*"icacls ""C:*"" /grant Everyone:F /T /C /Q"

"icacls ""D:*"" /grant Everyone:F /T /C /Q"
Relaxing filesystem ACLs allows the malware to access all files.
Take ownership of files with takeown.exetakeown.exe * /F *Takeown /S c:\

TAKEOWN /S system /U user /P password /F Myshare*
Taking ownership of files allows the malware to access all files.
Clear event logs to cover tracks.wevtutil* cl *wevtutil.exe cl Application

wevtutil.exe cl Security

wevtutil.exe cl System

FOR /F “delims=” %%I IN (‘WEVTUTIL EL’) DO (WEVTUTIL CL “%%I”)
Erasing events in the event logs is an anti-forensic technique.

Additional detection possibilities:
– Security EventID 1102; EventLog cleared
– System EventID 104; Any eventlog was cleared.
Disable Logging wevtutil* sl * `wevtutil.exe sl Security /e:false`The wevtutil sl log_name /e:false is the same as right-clicking on the log and choosing “Disable log”
Delete USN Journalfsutil usn deletejournalfsutil usn deletejournal /D C:"USN Journal keeps a log of all filesystem changes in NTFS volumes. deleting the journal is an anti-forensic technique.

Goal 2: Impair Recovery
These actions aim to limit the victim’s options for stopping the malware and recovering from the loss of data. ATT&CK: Inhibit System Recovery (T1490).

SubGoalNotional Search LogicExamplesNotes
Prevent system from booting into Automatic Repair Modebcdedit /set {default} bootstatuspolicy ignoreallfailures


bcdedit /set {default} recoveryenabled no
bcdedit /set {default} bootstatuspolicy
bcdedit /set {default} recoveryenabled no
Prevents startup in Automatic Repair Mode
Disable System Restoreschtasks.exe /Change /TN * /disableschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disableDefray ransomware disables a default scheduled task which perform system restore backups.
Enforce next startup in safemodereg add HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\*reg add HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupManUpon execution of Snatch ransomware, it will install itself as a Windows service named “SuperBackupMan” and create the following registry key to ensure it will start up during bootup into Safe Mode.

Monitoring for registry changes here via Windows auditing and/or EDR will help with detection if the malware uses a more hidden approach.
Disable Task Managerreg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System * DisableTaskMgr *reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fLimits ability of user to profile and kill tasks.>

Monitoring for registry changes here via Windows auditing and/or EDR will help with detection if the malware uses a more hidden approach.
Delete shadow copieswmic shadowcopy delete *


vssadmin delete shadows *


vssadmin resize shadowstorage *


powershell Get-WmiObject Win32_ShadowCopy *
Vssadmin.exe Delete Shadows /All /Quiet

vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

powershell Get-WmiObject Win32_ShadowCopy | % { $_.Delete() }

powershellGet-WmiObject Win32_ShadowCopy | Remove-WmiObject
This is one of THE most prevalent techniques seen in all ransomware families.

For vssadmin techniques, we now have a preventative option we well.
Make deleted files unrecoverable with cipher.execipher*/W:C:\cipher /W:C\cipher.exe clears the unallocated sectors of the disk from any residual data; making it impossible to forensically recover deleted files.
Delete backup filesdel /s /f /q *del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win c:*.dskRyuk ransomware also used this rudimentary approach to find and delete any files matching patterns signifying backups.
Delete backups via wbadminwbadmin delete *wbadmin delete catalog -quiet
cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
wbadmin enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt.
Delete computer restore pointdelete-ComputerRestorePointGet-ComputerRestorePoint | delete-ComputerRestorePoint

Goal 3: Unlock files in use
These actions aim to ensure the most damage by allowing the ransomware to encrypt even files which may be in use. Killing tasks which have files locked open is key to ensuring they are editable by the ransomware.

SubGoalNotional Search LogicExamplesNotes
Kill processes with taskkilltaskkill* /IM *taskkill.exe"" /IM sqlbrowser.exe /F"

taskkill.exe"" /IM sqlceip.exe /F"

taskkill.exe"" /IM sqlservr.exe /F"

taskkill.exe"" /IM sqlwriter.exe /F"
This is similar to the disabling of security tools, but will often be much noisier attempting to kill dozens of processes in short succession. Look for spikes in this command. The report linked below shows several examples.

Additional detection options may exist (e.g. Security Log EventID 4689 Process Terminated)
Kill processes with netstopnet stop *
net delete *
net.exe"" stop ""samss"" /y"

net.exe"" stop ""veeamcatalogsvc"" /y"

net.exe"" stop ""veeamcloudsvc"" /y"

net.exe"" stop ""veeamdeploysvc"" /y"
Ryuk samples have been observed attempting to stop over 50 predefined processes. Look for spikes in these commands.

Additional Detections:
7036 – Service started or stopped
7040 – Start type changed (Boot | On Request | Disabled)
Kill processes with scsc stop *
sc delete *
sc config * disabled
sc stop RabbitMQ

sc config SQLTELEMETRY start= disabled

sc config SQLTELEMETRY$ECWDB2 start= disabled

sc config SQLWriter start= disabled

sc config SstpSvc start= disabled
These (like ‘net stop’ and ‘taskkill’) are often seen in a simple batch file. Look for spikes in these commands.

Additional Detections:
7036 – Service started or stopped
7040 – Start type changed (Boot | On Request | Disabled)
Kill processes with wmicwmic process * delete
Look for spikes in these commands.

Goal: Destroy/Ransom Data
This is the final stage where files are encrypted, often renamed and a ransom note is presented or dropped on the filesystem. The detection value of alerting at this stage is limited, since we are going to hope and believe that our users are going to call the emergency hotline at this point and, God forbid, not attempt to pay the attackers.

I hope this will help you in your fight against ransomware. Drop me a comment and let me know what other detection logic you have have found helpful.

4 thoughts on “Detecting Ransomware Precursors

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s