GET /api/techniques/175/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 175,
"key": "volume-shadow-copy-service-vscvss-deletion",
"unprotect_id": "U0305,T1070.004",
"name": "Volume Shadow Copy Service (VSC,VSS) Deletion",
"description": "Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs. \r\n\r\nOn the other hand, deleting by using vssadmin and WMIC is on a file system level, the actual data remains in clusters. Thus, it may be able to be recovered from VSC until other files overwrite the clusters.",
"resources": "https://docs.microsoft.com/ja-jp/windows-server/administration/windows-commands/vssadmin-delete-shadows\nhttps://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\nhttps://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware\nhttps://blog.avast.com/zepto-ransomware-now-introduces-new-features-to-better-encrypt-your-files\nhttp://www.kazamiya.net/DeletedSC\nhttps://github.com/mnrkbys/vss_carver\nhttps://www.shadowexplorer.com/",
"creation_date": "2022-02-24T05:19:24.338000Z",
"tags": "VSC,ShadowCopy,Ransomware",
"modification_date": "2023-10-04T10:42:47.308000Z",
"category": [
8,
10
],
"rules": [
33,
34,
37,
56,
63
],
"attachments": [],
"featured_api": [],
"contributors": [
18
]
}
