(CAPA) Delete Volume Shadow Copy

Download Raw 

rule:
  meta:
    name: delete volume shadow copies
    namespace: impact/inhibit-system-recovery
    author: moritz.raabe@mandiant.com
    scope: function
    att&ck:
      - Impact::Inhibit System Recovery [T1490]
      - Defense Evasion::Indicator Removal on Host::File Deletion [T1070.004]
    mbc:
      - Impact::Data Destruction::Delete Shadow Copies [E1485.m04]
    examples:
      - B87E9DD18A5533A09D3E48A7A1EFBCF6:0x140006AF0
  features:
    - or:
      - string: /vssadmin.* delete shadows/i
      - string: /vssadmin.* resize shadowstorage/i
      - string: /wmic.* shadowcopy delete/i

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Volume Shadow Copy Service (VSC,VSS) Deletion U0305 T1070.004
Created

June 20, 2022

Last Revised

November 13, 2024