Volume Shadow Copy Deletion via VssAdmin

Identifies suspicious use of vssadmin.exe to delete volume shadow copies.

id:d3a327b6-c517-43f2-8e97-1f06b7370705 categories:detect confidence:medium os:windows created:11/30/2018 updated:05/17/2019

MITRE ATT&CK™ Mapping

tactics:Impact techniques:T1490 Inhibit System Recovery

Query

process where subtype.create and
    process_name == "vssadmin.exe" and command_line == "*delete* *shadows*"

Detonation

Atomic Red Team: T1490

Contributors

• Endgame