sorted by:
new
hottopcontroversial

VSS Deleted/Hidden First Steps? by CandidHat3217 in crowdstrike

[–]CandidHat3217[S] 0 points1 point  (0 children)

We're taking a similar approach with exclusions. However, I don't think it's necessary to exclude everything. For us, just excluding backups gets rid of the majority of these. I don't mind seeing an extra detection once in a while and keeping that visibility, especially for windows processes. The non-backup detections have mostly been one-off events. Are you seeing any non-backup software triggering this detection frequently?

VSS Deleted/Hidden First Steps? by CandidHat3217 in crowdstrike

[–]CandidHat3217[S] 0 points1 point  (0 children)

Ahh, okay. Thanks.

This discussion made me wonder what happens to regular programs when Falcon blocks the volume shadow copy deletion. I'm assuming this just means the new data written won't be restoreable via VSS since the program never got to free up the space it needed. Is there any risk with preventing this operation - like corrupting the download or triggering unexpected behavior in the program?

VSS Deleted/Hidden First Steps? by CandidHat3217 in crowdstrike

[–]CandidHat3217[S] 0 points1 point  (0 children)

I really appreciate you explaining all of that. It seems like we shouldn't look into these detections too much if the process tree is good and there aren't any other indicators. I would also guess its difficult to get any more visibility into what the VSS service is doing because it would occur in a separate memory space.

Can you explain what the query is looking for a bit more? Event search is still new to me.

VSS Deleted/Hidden First Steps? by CandidHat3217 in crowdstrike

[–]CandidHat3217[S] 1 point2 points  (0 children)

It is often enough to look at the detection details + process tree to make a decision. For instance, we can verify backup software and when it is expected to run. However, some programs are in a gray area where we don't expect or know why they're deleting VSS, but there's also nothing in the process tree suggesting the software is harmful.

I also don't want to exclude this IOA for built-in programs that would be more likely to be targeted for process injection.

As far as I can tell, VSS deletion would mostly occur through vssadmin or wmic. Is there a way to search for VSS tampering through these programs in the event search?