After compromising a network of systems, threat actors often try to delete Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This non-detection of this technique, which is often employed by ransomware strains such as “Olympic Destroyer”, may lead to a failure in recovering systems after an attack.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Inhibit System Recovery||N/A||Impact||Low|
Data Model References
Splunk query for Detecting Shadow Copy Deletion via vssadmin.exe (Splunk, Sysmon native)
This query looks for the specific use of vssadmin in correlation to a deleting function, alerting us of attempts to delete shadow copies that possibly indicate malicious activity.
index=__your_win_event_log_index__ EventType=4688 CommandLine:"delete" OriginalFileName:"VSSADMIN.EXE"