Volume Shadow Copy Deletion via VssAdmin

Identifies suspicious use of vssadmin.exe to delete volume shadow copies.

id:d3a327b6-c517-43f2-8e97-1f06b7370705
categories:detect
confidence:medium
os:windows
created:11/30/2018
updated:05/17/2019

MITRE ATT&CK™ Mapping

tactics:Impact
techniques:T1490 Inhibit System Recovery

Query

process where subtype.create and
    process_name == "vssadmin.exe" and command_line == "*delete* *shadows*"

Contributors