Volume Shadow Copy Service (VSC,VSS) Deletion

Created the Thursday 24 February 2022. Updated 7 months, 1 week ago.

Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs.

On the other hand, deleting by using vssadmin and WMIC is on a file system level, the actual data remains in clusters. Thus, it may be able to be recovered from VSC until other files overwrite the clusters.

Technique Identifiers

U0305 T1070.004

Technique Tags

VSC ShadowCopy Ransomware

Code Snippets

hackeT 

vssadmin.exe delete shadows /all /quiet
wmic shadowcopy delete /nointeractive
vssadmin resize shadowstorage /for= /on= /maxsize=
Open Snippet

hackeT 

Get-WmiObject Win32_ShadowCopy | % { $_.Delete() }
Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
Get-WmiObject Win32_ShadowCopy | Remove-WmiObject
Open Snippet

Detection Rules

rule shadow_copy_deletion {
    meta:
      description = "Detect shadow copy deletion"
      author = "ditekSHen/Unprotect"

    strings:
        $x1 = "cmd.exe /c \"vssadmin.exe Delete Shadows /all /quiet\"" fullword ascii
        $x2 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
        $cmd1 = "cmd /c \"WMIC.exe shadowcopy delet\"" ascii wide nocase
        $cmd2 = "vssadmin.exe Delete Shadows /all" ascii wide nocase
        $cmd3 = "Delete Shadows /all" ascii wide nocase
        $cmd4 = "} recoveryenabled no" ascii wide nocase
        $cmd5 = "} bootstatuspolicy ignoreallfailures" ascii wide nocase
        $cmd6 = "wmic SHADOWCOPY DELETE" ascii wide nocase
        $cmd7 = "\\Microsoft\\Windows\\SystemRestore\\SR\" /disable" ascii wide nocase
        $cmd8 = "resize shadowstorage /for=c: /on=c: /maxsize=" ascii wide nocase
        $cmd9 = "shadowcopy where \"ID='%s'\" delete" ascii wide nocase
        $cmd10 = "wmic.exe SHADOWCOPY /nointeractive" ascii wide nocase
        $cmd11 = "WMIC.exe shadowcopy delete" ascii wide nocase
        $cmd12 = "Win32_Shadowcopy | ForEach-Object {$_.Delete();}" ascii wide nocase
        $delr = /del \/s \/f \/q(( [A-Za-z]:\\(\*\.|[Bb]ackup))(VHD|bac|bak|wbcat|bkf)?)+/ ascii wide
        $wp1 = "delete catalog -quiet" ascii wide nocase
        $wp2 = "wbadmin delete backup" ascii wide nocase
        $wp3 = "delete systemstatebackup" ascii wide nocase
      
    condition:
        (uint16(0) == 0x5a4d and 2 of ($cmd*) or (1 of ($cmd*) and 1 of ($wp*)) or #delr > 4) or (4 of them)
}
title: Delete Shadow Copy Via Powershell
status: experimental
description: Delete Shadow Copy Via Powershell
author: Joe Security
date: 2019-10-25
id: 200011
threatname:
behaviorgroup: 18
classification: 8
mitreattack: T1490

logsource:
      category: process_creation
      product: windows
detection:
      selection:      
          CommandLine:
              - '*powershell*RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==*'
      condition: selection
level: critical

title: Delete Volume Shadow Copies Via WMI With PowerShell
id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
description: Shadow Copies deletion using operating systems utilities via PowerShell
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
    - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml
    - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
tags:
    - attack.impact
    - attack.t1490
status: experimental
author: frack113
date: 2021/06/03
modified: 2021/10/16
logsource:
    product: windows
    category: ps_classic_start
    definition: fields have to be extract from event
detection:
    selection_obj:
        HostApplication|contains|all:
            - 'Get-WmiObject'
            - ' Win32_Shadowcopy'
    selection_del:
        HostApplication|contains:
            - 'Delete()'
            - 'Remove-WmiObject'
    condition: selection_obj and selection_del
fields:
    - HostApplication
falsepositives:
    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
level: critical

title: Shadow Copies Deletion Using Operating Systems Utilities
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
status: stable
description: Shadow Copies deletion using operating systems utilities
author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019/10/22
modified: 2021/10/24
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://blog.talosintelligence.com/2017/05/wannacry.html
    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
    - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
    - https://github.com/Neo23x0/Raccine#the-process
    - https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar
    - https://redcanary.com/blog/intelligence-insights-october-2021/
tags:
    - attack.defense_evasion
    - attack.impact
    - attack.t1070
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image|endswith:
            - '\powershell.exe'
            - '\wmic.exe'
            - '\vssadmin.exe'
            - '\diskshadow.exe'
        CommandLine|contains|all:
            - shadow  # will match "delete shadows" and "shadowcopy delete" and "shadowstorage"
            - delete
    selection2:
        Image|endswith:
            - '\wbadmin.exe'
        CommandLine|contains|all:
            - delete
            - catalog
            - quiet # will match -quiet or /quiet
    selection3:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains|all:
            - resize
            - shadowstorage
            - unbounded
    condition: 1 of selection*
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
level: critical
rule:
  meta:
    name: delete volume shadow copies
    namespace: impact/inhibit-system-recovery
    author: moritz.raabe@mandiant.com
    scope: function
    att&ck:
      - Impact::Inhibit System Recovery [T1490]
      - Defense Evasion::Indicator Removal on Host::File Deletion [T1070.004]
    mbc:
      - Impact::Data Destruction::Delete Shadow Copies [E1485.m04]
    examples:
      - B87E9DD18A5533A09D3E48A7A1EFBCF6:0x140006AF0
  features:
    - or:
      - string: /vssadmin.* delete shadows/i
      - string: /vssadmin.* resize shadowstorage/i
      - string: /wmic.* shadowcopy delete/i

Additional Resources

External Links

Subscribe to our Newsletter

The information entered into this form is mandatory. It will be subjected to computer processing. It is processed by computer in order to support our users and readers. The recipients of the data will be : contact@unprotect.it.

According to the Data Protection Act of January 6th, 1978, you have at any time, a right of access to and rectification of all of your personal data. If you wish to exercise this right and gain access to your personal data, please write to Thomas Roccia at contact@unprotect.it.

You may also oppose, for legitimate reasons, the processing of your personal data.