Volume Shadow Copy Deletion via WMIC¶
Identifies use of wmic for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.
id: | 7163f069-a756-4edc-a9f2-28546dcb04b0 |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 11/30/2018 |
updated: | 05/17/2019 |
Query¶
process where subtype.create and
process_name == "wmic.exe" and command_line == "* *shadowcopy* *delete*"