
Volume Shadow Copy Service (VSC,VSS) Deletion
Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs.
On the other hand, deleting by using vssadmin and WMIC is on a file system level, the actual data remains in clusters. Thus, it may be able to be recovered from VSC until other files overwrite the clusters.
Code Snippets
vssadmin.exe delete shadows /all /quiet
wmic shadowcopy delete /nointeractive
vssadmin resize shadowstorage /for= /on= /maxsize=
Get-WmiObject Win32_ShadowCopy | % { $_.Delete() }
Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
Get-WmiObject Win32_ShadowCopy | Remove-WmiObject
Detection Rules
rule:
meta:
name: delete volume shadow copies
namespace: impact/inhibit-system-recovery
author: moritz.raabe@mandiant.com
scope: function
att&ck:
- Impact::Inhibit System Recovery [T1490]
- Defense Evasion::Indicator Removal on Host::File Deletion [T1070.004]
mbc:
- Impact::Data Destruction::Delete Shadow Copies [E1485.m04]
examples:
- B87E9DD18A5533A09D3E48A7A1EFBCF6:0x140006AF0
features:
- or:
- string: /vssadmin.* delete shadows/i
- string: /vssadmin.* resize shadowstorage/i
- string: /wmic.* shadowcopy delete/i
rule:
meta:
name: resize volume shadow copy storage
namespace: impact/inhibit-system-recovery
author: michael.hunhoff@mandiant.com
scope: basic block
features:
- and:
- api: kernel32.DeviceIoControl
- number: 0x53C028 = IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE
title: Shadow Copies Deletion Using Operating Systems Utilities
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
status: stable
description: Shadow Copies deletion using operating systems utilities
author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019/10/22
modified: 2021/10/24
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://blog.talosintelligence.com/2017/05/wannacry.html
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
- https://github.com/Neo23x0/Raccine#the-process
- https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar
- https://redcanary.com/blog/intelligence-insights-october-2021/
tags:
- attack.defense_evasion
- attack.impact
- attack.t1070
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith:
- '\powershell.exe'
- '\wmic.exe'
- '\vssadmin.exe'
- '\diskshadow.exe'
CommandLine|contains|all:
- shadow # will match "delete shadows" and "shadowcopy delete" and "shadowstorage"
- delete
selection2:
Image|endswith:
- '\wbadmin.exe'
CommandLine|contains|all:
- delete
- catalog
- quiet # will match -quiet or /quiet
selection3:
Image|endswith: '\vssadmin.exe'
CommandLine|contains|all:
- resize
- shadowstorage
- unbounded
condition: 1 of selection*
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
level: critical
title: Delete Volume Shadow Copies Via WMI With PowerShell
id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
description: Shadow Copies deletion using operating systems utilities via PowerShell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml
- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
tags:
- attack.impact
- attack.t1490
status: experimental
author: frack113
date: 2021/06/03
modified: 2021/10/16
logsource:
product: windows
category: ps_classic_start
definition: fields have to be extract from event
detection:
selection_obj:
HostApplication|contains|all:
- 'Get-WmiObject'
- ' Win32_Shadowcopy'
selection_del:
HostApplication|contains:
- 'Delete()'
- 'Remove-WmiObject'
condition: selection_obj and selection_del
fields:
- HostApplication
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
level: critical
Additional Resources
- vssadmin delete shadows | Microsoft Docs
- Stomping Shadow Copies - A Second Look Into Deletion Methods | FortiGuard Labs
- Threat Spotlight: Inside VSSDestroy Ransomware
- Zepto ransomware now introduces new features to better encrypt your files
- Deleted Shadow Copies | Forensicist
- GitHub - mnrkbys/vss_carver: Carves and recreates VSS catalog and store from Windows disk image.
- ShadowExplorer.com - About