Volume Shadow Copy Deletion via VssAdmin¶
Identifies suspicious use of vssadmin.exe to delete volume shadow copies.
id: | d3a327b6-c517-43f2-8e97-1f06b7370705 |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 11/30/2018 |
updated: | 05/17/2019 |
Query¶
process where subtype.create and
process_name == "vssadmin.exe" and command_line == "*delete* *shadows*"