This note documents detection patterns and forensic indicators related to ransomware-style impact.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|
| Security | 4663 | File modification | High | Mass file access |
| Security | 4688 | vssadmin delete shadows | Critical | Recovery prevention |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|
| Burst file writes | Rapid encryption | Critical | Ransomware |
| Shadow deletion | vssadmin usage | Critical | Recovery blocked |
Common Clearing Commands
| Method | Example |
|---|
| vssadmin | vssadmin delete shadows /all |
Hunting Filters (Object-Based)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663}
MITRE ATT&CK References
- T1486 – Data Encrypted for Impact
Decision Tree
- Was shadow copy removed?
- Are many files modified rapidly?
- Trace initial access.
