Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

Update hunt query Possible Ransomware Related Destruction Activity

Open AaronHoffmannRL opened this issue 3 years ago • 0 comments

Change(s):

  • Adds a filter to include WMIC events where shadow copies are deleted

Reason for Change(s):

  • Updating query for better detections

Version Updated:

  • N/A

Testing Completed:

  • Yes

Checked that the validations are passing and have addressed any issues that are present:

  • Yes

AaronHoffmannRL avatar Aug 10 '22 21:08 AaronHoffmannRL