After compromising a network of systems, threat actors often try to delete Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This non-detection of this technique, which is often employed by ransomware strains such as “Olympic Destroyer”, may lead to a failure in recovering systems after an attack.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Inhibit System Recovery N/A Impact Low

Data Model References

Object Action Field
process create command_line

Implementations

Splunk query for Detecting Shadow Copy Deletion via vssadmin.exe (Splunk, Sysmon native)

This query looks for the specific use of vssadmin in correlation to a deleting function, alerting us of attempts to delete shadow copies that possibly indicate malicious activity.

index=__your_win_event_log_index__ EventType=4688 CommandLine:"delete" OriginalFileName:"VSSADMIN.EXE"