Classification:

attack

Tactic:

TA0040-impact

Technique:

T1490-inhibit-system-recovery

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects attempts to delete or manipulate Volume Shadow Copies using native Windows utilities, a common technique used by ransomware and other attackers to prevent recovery.

Strategy

This rule monitors Windows event logs for command line executions of native Windows utilities that can be used to delete or manipulate Volume Shadow Copies. The detection looks for usage of utilities such as powershell.exe, pwsh.exe, wmic.exe, vssadmin.exe, or diskshadow.exe with specific command line parameters including "shadow" and "delete". Volume Shadow Copy Service (VSS) is a Windows feature that creates backup copies or snapshots of files or volumes, even when they’re in use.

Triage & Response

• Review the full command line to understand exactly which shadow copy manipulation was attempted on {{host}}.
• Identify the user account that executed the command and determine if they have a legitimate reason to manage shadow copies.
• Examine process lineage to determine the parent process that initiated the shadow copy deletion command.
• Investigate for other suspicious activities around the same timeframe, particularly file encryption operations or ransomware indicators.