Windows shadow copies deletion using operating systems utilities
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects attempts to delete or manipulate Volume Shadow Copies using native Windows utilities, a common technique used by ransomware and other attackers to prevent recovery.
Strategy
This rule monitors Windows event logs for command line executions of native Windows utilities that can be used to delete or manipulate Volume Shadow Copies. The detection looks for usage of utilities such as powershell.exe, pwsh.exe, wmic.exe, vssadmin.exe, or diskshadow.exe with specific command line parameters including "shadow" and "delete". Volume Shadow Copy Service (VSS) is a Windows feature that creates backup copies or snapshots of files or volumes, even when they’re in use.
Triage & Response
- Review the full command line to understand exactly which shadow copy manipulation was attempted on
{{host}}. - Identify the user account that executed the command and determine if they have a legitimate reason to manage shadow copies.
- Examine process lineage to determine the parent process that initiated the shadow copy deletion command.
- Investigate for other suspicious activities around the same timeframe, particularly file encryption operations or ransomware indicators.
