---
title: Windows shadow copies deletion using operating systems utilities
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Windows shadow copies deletion using
  operating systems utilities
---

# Windows shadow copies deletion using operating systems utilities

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0040-impact](https://attack.mitre.org/tactics/TA0040)Technique:[T1490-inhibit-system-recovery](https://attack.mitre.org/techniques/T1490) 
## Goal{% #goal %}

Detects attempts to delete or manipulate Volume Shadow Copies using native Windows utilities, a common technique used by ransomware and other attackers to prevent recovery.

## Strategy{% #strategy %}

This rule monitors Windows event logs for command line executions of native Windows utilities that can be used to delete or manipulate Volume Shadow Copies. The detection looks for usage of utilities such as `powershell.exe`, `pwsh.exe`, `wmic.exe`, `vssadmin.exe`, or `diskshadow.exe` with specific command line parameters including `"shadow"` and `"delete"`. Volume Shadow Copy Service (VSS) is a Windows feature that creates backup copies or snapshots of files or volumes, even when they're in use.

## Triage & Response{% #triage--response %}

- Review the full command line to understand exactly which shadow copy manipulation was attempted on `{{host}}`.
- Identify the user account that executed the command and determine if they have a legitimate reason to manage shadow copies.
- Examine process lineage to determine the parent process that initiated the shadow copy deletion command.
- Investigate for other suspicious activities around the same timeframe, particularly file encryption operations or ransomware indicators.