Windows Threat Hunting : Processes of Interest (Part 2)A list of common Windows processes and how they can be used maliciously by hackers(Source: 1920 × 1080)
We will be continuing our list of processes from Part 1 and discuss about a few more legitimate Windows processes and their malicious use cases along with some alternatives and processes that can aid in reconnaissance.
vssadmin is a built-in Windows utility that is used to manage volume shadow copies of the stored files on a machine. These shadow copies are used as backups that can be helpful to restore damaged or corrupted files in case of data loss. Ransomware attacks, aim to hijack access to data and files on a system by encrypting them and then asking for a ransom to release control over the data. Having up to date backups of files and data, hampers the attackers objectives as the data can be easily recovered. This is why, during ransomware campaigns, attackers attempt to delete these backups and shadow copies using vssadmin so
Read the article