Volume Shadow Copy Service (VSC,VSS) Deletion

Created the Thursday 24 February 2022. Updated 1 year, 1 month ago.

Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs.

On the other hand, deleting by using vssadmin and WMIC is on a file system level, the actual data remains in clusters. Thus, it may be able to be recovered from VSC until other files overwrite the clusters.

Technique Identifiers

U0305 T1070.004

Technique Tags

VSC ShadowCopy Ransomware

Code Snippets

vssadmin.exe delete shadows /all /quiet
wmic shadowcopy delete /nointeractive
vssadmin resize shadowstorage /for= /on= /maxsize=

About Author Open Snippet

Author: hackeT / Target Platform: Windows

Get-WmiObject Win32_ShadowCopy | % { $_.Delete() }
Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
Get-WmiObject Win32_ShadowCopy | Remove-WmiObject

About Author Open Snippet

Author: hackeT / Target Platform: Windows

Detection Rules

rule shadow_copy_deletion {
    meta:
      description = "Detect shadow copy deletion"
      author = "ditekSHen/Unprotect"

    strings:
        $x1 = "cmd.exe /c \"vssadmin.exe Delete Shadows /all /quiet\"" fullword ascii
        $x2 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
        $cmd1 = "cmd /c \"WMIC.exe shadowcopy delet\"" ascii wide nocase
        $cmd2 = "vssadmin.exe Delete Shadows /all" ascii wide nocase
        $cmd3 = "Delete Shadows /all" ascii wide nocase
        $cmd4 = "} recoveryenabled no" ascii wide nocase
        $cmd5 = "} bootstatuspolicy ignoreallfailures" ascii wide nocase
        $cmd6 = "wmic SHADOWCOPY DELETE" ascii wide nocase
        $cmd7 = "\\Microsoft\\Windows\\SystemRestore\\SR\" /disable" ascii wide nocase
        $cmd8 = "resize shadowstorage /for=c: /on=c: /maxsize=" ascii wide nocase
        $cmd9 = "shadowcopy where \"ID='%s'\" delete" ascii wide nocase
        $cmd10 = "wmic.exe SHADOWCOPY /nointeractive" ascii wide nocase
        $cmd11 = "WMIC.exe shadowcopy delete" ascii wide nocase
        $cmd12 = "Win32_Shadowcopy | ForEach-Object {$_.Delete();}" ascii wide nocase
        $delr = /del \/s \/f \/q(( [A-Za-z]:\\(\*\.|[Bb]ackup))(VHD|bac|bak|wbcat|bkf)?)+/ ascii wide
        $wp1 = "delete catalog -quiet" ascii wide nocase
        $wp2 = "wbadmin delete backup" ascii wide nocase
        $wp3 = "delete systemstatebackup" ascii wide nocase
      
    condition:
        (uint16(0) == 0x5a4d and 2 of ($cmd*) or (1 of ($cmd*) and 1 of ($wp*)) or #delr > 4) or (4 of them)
}

title: Delete Shadow Copy Via Powershell
status: experimental
description: Delete Shadow Copy Via Powershell
author: Joe Security
date: 2019-10-25
id: 200011
threatname:
behaviorgroup: 18
classification: 8
mitreattack: T1490

logsource:
      category: process_creation
      product: windows
detection:
      selection:      
          CommandLine:
              - '*powershell*RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==*'
      condition: selection
level: critical

title: Delete Volume Shadow Copies Via WMI With PowerShell
id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
description: Shadow Copies deletion using operating systems utilities via PowerShell
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
    - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml
    - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
tags:
    - attack.impact
    - attack.t1490
status: experimental
author: frack113
date: 2021/06/03
modified: 2021/10/16
logsource:
    product: windows
    category: ps_classic_start
    definition: fields have to be extract from event
detection:
    selection_obj:
        HostApplication|contains|all:
            - 'Get-WmiObject'
            - ' Win32_Shadowcopy'
    selection_del:
        HostApplication|contains:
            - 'Delete()'
            - 'Remove-WmiObject'
    condition: selection_obj and selection_del
fields:
    - HostApplication
falsepositives:
    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
level: critical

title: Shadow Copies Deletion Using Operating Systems Utilities
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
status: stable
description: Shadow Copies deletion using operating systems utilities
author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019/10/22
modified: 2021/10/24
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://blog.talosintelligence.com/2017/05/wannacry.html
    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
    - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
    - https://github.com/Neo23x0/Raccine#the-process
    - https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar
    - https://redcanary.com/blog/intelligence-insights-october-2021/
tags:
    - attack.defense_evasion
    - attack.impact
    - attack.t1070
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image|endswith:
            - '\powershell.exe'
            - '\wmic.exe'
            - '\vssadmin.exe'
            - '\diskshadow.exe'
        CommandLine|contains|all:
            - shadow  # will match "delete shadows" and "shadowcopy delete" and "shadowstorage"
            - delete
    selection2:
        Image|endswith:
            - '\wbadmin.exe'
        CommandLine|contains|all:
            - delete
            - catalog
            - quiet # will match -quiet or /quiet
    selection3:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains|all:
            - resize
            - shadowstorage
            - unbounded
    condition: 1 of selection*
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
level: critical

rule:
  meta:
    name: delete volume shadow copies
    namespace: impact/inhibit-system-recovery
    author: moritz.raabe@mandiant.com
    scope: function
    att&ck:
      - Impact::Inhibit System Recovery [T1490]
      - Defense Evasion::Indicator Removal on Host::File Deletion [T1070.004]
    mbc:
      - Impact::Data Destruction::Delete Shadow Copies [E1485.m04]
    examples:
      - B87E9DD18A5533A09D3E48A7A1EFBCF6:0x140006AF0
  features:
    - or:
      - string: /vssadmin.* delete shadows/i
      - string: /vssadmin.* resize shadowstorage/i
      - string: /wmic.* shadowcopy delete/i

Contributor

hackeT

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.