Windows PowerShell volume shadow copy deletion
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects deletion of Windows Volume Shadow Copies through PowerShell and WMI/CIM commands.
Strategy
This rule monitors Windows event logs for PowerShell script block execution that targets Volume Shadow Copies for deletion. It specifically looks for PowerShell commands that use WMI or CIM interfaces to interact with Win32_ShadowCopy objects, combined with various deletion methods. Volume Shadow Copy Service (VSS) is a Windows feature that creates backup copies or snapshots of files or volumes, even when they’re in use. Attackers commonly delete these shadow copies to prevent recovery of encrypted files during ransomware attacks or to remove forensic evidence. This activity is a strong indicator of an attack designed to inhibit system recovery capabilities.
Triage & Response
- Examine the PowerShell script block content on
{{host}} to verify the shadow copy deletion attempt and understand the full context of the command execution. - Identify the user account that executed the PowerShell commands and determine if this was authorized activity.
- Review authentication events prior to the shadow copy deletion to identify potential account compromise.
- Check for other indicators of ransomware activity, such as unusual file encryption operations or ransom notes.
- Look for evidence of data exfiltration before the shadow copy deletion, which could indicate a multi-stage attack.
- Reset credentials for accounts that executed the suspicious commands if they were compromised.
- Implement PowerShell logging and Script Block Logging across the environment if not already enabled.
