The Windows Volume Shadow Copy Service is a built-in OS feature that can be used to create backup copies of files and volumes.

Adversaries may delete these shadow copies, typically through the usage of system utilities such as vssadmin.exe or wmic.exe, in order prevent file and data recovery. This technique is commonly employed for this purpose by ransomware.

References

This Red Canary blog post covers both vssadmin.exe and wmic.exe approaches as well as potential others.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Inhibit System Recovery N/A Impact Medium

Data Model References

Object Action Field
process create image_path
process create command_line

Implementations

Vssadmin.exe delete shadows (Pseudocode)

This pseudocode looks for process event creates around the vssadmin.exe utility with a specific set of command-line parameters for deleting shadow copies.

processes = search Process:Create
vssadmin_processes = filter processes where (
  command_line = "*delete shadows*"  and
  image_path = "C:\Windows\System32\vssadmin.exe")
output vssadmin_processes

WMIC shadowcopy delete (Pseudocode)

This pseudocode looks for process event creates around wmic.exe with a specific set of command-line parameters for deleting shadow copies.

processes = search Process:Create
wmic_processes = filter processes where (
  command_line = "*shadowcopy delete*"  and
  image_path = "C:\Windows\*\wmic.exe")
output wmic_processes

Vssadmin.exe delete shadows (Splunk, Sysmon native)

Splunk version of the CAR pseudocode.

index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\System32\\vssadmin.exe" CommandLine="*delete shadows*"

WMIC shadowcopy delete (Splunk, Sysmon native)

Splunk version of the CAR pseudocode.

index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\wmic.exe" CommandLine="*shadowcopy delete*"

Vssadmin.exe delete shadows (Eql, EQL native)

An EQL version of the CAR pseudocode.

WMIC shadowcopy delete (Eql, EQL native)

An EQL version of the CAR pseudocode.

Vssadmin.exe delete shadows & WMIC shadowcopy delete (Sigma, Sigma native)

A Sigma version of the CAR pseudocode for both vssadmin.exe and wmic.exe approaches.