EDR-01-HOST-Vssadmin-Delete-Shadows

Detects the execution of vssadmin delete shadows on Windows hosts, a typical operation performed before ransomware encryption.

• MITRE ATT&CK: T1490 - Inhibit System Recovery
• Demonstrates EDR alert to ASP Alert mapping, process-related Artifact extraction, and Case aggregation

Log Source

Logs are generated by the Mock Plugin HostGenerator, which produces simulated EDR host logs. Field descriptions can be found in siem-host-events.yaml.

Key Processing Logic

• Field Extraction: Extract host, user, process, parent process, and hash information from raw alerts, supporting both flat and nested JSON formats
• Artifact: Executing user, affected host, process hash (SHA256/MD5), full command line
• Aggregation: Aggregate by [hostname, username] within 24h into the same Case
• Severity: Default disposition is DETECTED (shadow copy deletion is a strong indicator of ransomware); risk score >=90 Critical, >=70 High, >=40 Medium
• Mitigation: Restrict vssadmin.exe via AppLocker/WDAC, monitor shadow copy deletion, maintain offline backups