Volume Shadow Copy Deletion via VssAdmin

Identifies suspicious use of vssadmin.exe to delete volume shadow copies.

id:d3a327b6-c517-43f2-8e97-1f06b7370705
categories:detect
confidence:medium
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Defense Evasion
techniques:T1107 File Deletion

Query

process where subtype.create and
    process_name == "vssadmin.exe" and command_line == "*delete* *shadows*"

Contributors