Windows delete volume shadow copies via WMI with PowerShell
Goal
Detects attempts to delete Windows Volume Shadow Copies using PowerShell with WMI commands.
Strategy
This detection monitors PowerShell event logs for commands that use WMI objects targeting Win32_ShadowCopy with deletion operations. The detection looks for event data containing both “Get-WmiObject” and “Win32_ShadowCopy” strings along with either “Delete()” or “Remove-WmiObject” in the PowerShell script block logging.
Volume Shadow Copies provide point-in-time snapshots that allow for backup and recovery of files. Threat actors, particularly in ransomware attacks, often target these snapshots to prevent recovery options. By monitoring for commands that explicitly target and delete these shadow copies, Datadog detects potential data destruction activities.
Triage & Response
- Identify the
{{host}} system where shadow copies were deleted using PowerShell and WMI. - Determine which user account executed the PowerShell commands by examining related event logs.
- Review the full PowerShell script or command to understand the context and scope of the deletion.
- Examine surrounding events for other suspicious activities, particularly file encryption attempts or unusual process execution.
- If the shadow copies were legitimate backups, verify if critical data has been backed up through other means.
- Look for signs of ransomware deployment such as ransom notes or encrypted files with unusual extensions.
- Check for persistence mechanisms established prior to shadow copy deletion.
- Investigate network connections for command and control communication.
