(CAPA) CAPA_Delete_Volume_Shadow_Copy
Created the . Updated 1 year, 10 months ago.
rule:
meta:
name: delete volume shadow copies
namespace: impact/inhibit-system-recovery
author: moritz.raabe@mandiant.com
scope: function
att&ck:
- Impact::Inhibit System Recovery [T1490]
- Defense Evasion::Indicator Removal on Host::File Deletion [T1070.004]
mbc:
- Impact::Data Destruction::Delete Shadow Copies [E1485.m04]
examples:
- B87E9DD18A5533A09D3E48A7A1EFBCF6:0x140006AF0
features:
- or:
- string: /vssadmin.* delete shadows/i
- string: /vssadmin.* resize shadowstorage/i
- string: /wmic.* shadowcopy delete/i
Associated Techniques
| Technique Name | Technique ID's | Has Snippet(s) |
|---|---|---|
| Volume Shadow Copy Service (VSC,VSS) Deletion | U0305 T1070.004 |