Volume Shadow Copy Deletion via WMIC

Identifies use of wmic for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.

id:7163f069-a756-4edc-a9f2-28546dcb04b0 categories:detect confidence:medium os:windows created:11/30/2018 updated:05/17/2019

MITRE ATT&CK™ Mapping

tactics:Impact techniques:T1490 Inhibit System Recovery

Query

process where subtype.create and
  process_name == "wmic.exe" and command_line == "* *shadowcopy* *delete*"

Detonation

Atomic Red Team: T1490

Contributors

• Endgame