Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  • Blocking Attacks in LimaCharlie
  • Introduction
  • Why This Rule?
  • Detecting Volume Shadow Copy Deletion
  • Crafting the Detection & Response (D&R) Rule
  • Testing the Blocking Rule
  • Next Steps: Strengthening the Rule
  1. Home Lab: C2 Detection, Ransomware Defense & YARA Automation

Part 4 - Blocking Ransomware

Blocking ransomware by detecting and stopping harmful commands in LimaCharlie. This guide shows how to prevent attackers from deleting backups.

PreviousPart 3 - Credential Dumping & Threat DetectionNextPart 5 - Reducing False Positives

Last updated 3 months ago

Blocking Attacks in LimaCharlie

Introduction

In Part 3, we explored crafting detection rules to identify threats in real time. However, detecting threats is only half the battle—blocking them before they cause harm is the next crucial step.

Blocking attacks requires careful baselining to avoid false positives. A best practice is to first run a detection rule in alert-only mode, monitor it for a period, eliminate false positives, and then deploy a blocking version.

Here we will create a rule that effectively disrupts a ransomware attack by detecting and blocking the deletion of Volume Shadow Copies.

Why This Rule?

Volume Shadow Copies allow restoration of files or entire file systems, making them a crucial recovery tool against ransomware. Attackers use this to remove backups before encrypting files.

A common command used for this action:

vssadmin delete shadows /all

This command is rarely executed in a healthy environment, making it a low false-positive, high-value detection candidate.

Detecting Volume Shadow Copy Deletion

Step 1: Execute the Malicious Command

  1. Open an SSH session to the Linux VM and start a Sliver C2 shell on the victim.

  2. Run:

    shell

  3. Confirm when prompted: “This action is bad OPSEC, are you an adult?” → Type Y and press Enter.

  4. Execute the following:

    vssadmin delete shadows /all

- The output doesn't matter; whether or not Volume Shadow Copies exist on the VM, running the command is enough to generate the required telemetry.

  1. Run:

whoami

This confirms if the session is still active.

Step 2: Check for Detection

  1. Open LimaCharlie’s Detection Tab.

  2. Look for any Sigma rule detections.

  3. Expand the detection to review its metadata. Sigma rules include references that help explain why the detection was triggered.

  4. View the raw event in the Timeline.

Crafting the Detection & Response (D&R) Rule

Using the detected event, we will create a rule to detect and terminate the parent process responsible for executing the deletion command.

Response Action

response:
  - action: report
    name: vss_deletion_kill_it
  - action: task
    command:
      - deny_tree
      - <<routing/parent>>

  • The action: report section generates a detection report in the "Detections" tab.

  • The action: task section uses deny_tree to terminate the parent process that executed the vssadmin delete shadows /all command.

Save this rule as vss_deletion_kill_it.

Testing the Blocking Rule

  1. Return to the Sliver C2 session.

  2. Run the deletion command again:

    vssadmin delete shadows /all

  1. Run:

whoami

If the rule worked, the shell will hang or exit, confirming the process was terminated.

To manually exit the shell, press Ctrl + D. Notice :

Your rule stopped the process that was running your command.

When you ran vssadmin delete shadows /all, LimaCharlie detected it and killed the process that started your shell. Since your shell depended on that process, it also got closed.

So when you tried whoami, the shell was already dead, which is why you saw "Shell exited."

Next Steps: Strengthening the Rule