rule: meta: name: delete volume shadow copies namespace: impact/inhibit-system-recovery author: moritz.raabe@mandiant.com scope: function att&ck: - Impact::Inhibit System Recovery [T1490] - Defense Evasion::Indicator Removal on Host::File Deletion [T1070.004] mbc: - Impact::Data Destruction::Delete Shadow Copies [E1485.m04] examples: - B87E9DD18A5533A09D3E48A7A1EFBCF6:0x140006AF0 features: - or: - string: /vssadmin.* delete shadows/i - string: /vssadmin.* resize shadowstorage/i - string: /wmic.* shadowcopy delete/i