Techniques
Sample rules
Shadow Copies Deletion Using Operating Systems Utilities
- source: sigma
- technicques:
- t1070
- t1490
Description
Shadow Copies deletion using operating systems utilities
Detection logic
condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
selection1_cli:
CommandLine|contains|all:
- shadow
- delete
selection1_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- \wmic.exe
- \vssadmin.exe
- \diskshadow.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
- wmic.exe
- VSSADMIN.EXE
- diskshadow.exe
selection2_cli:
CommandLine|contains|all:
- delete
- catalog
- quiet
selection2_img:
- Image|endswith: \wbadmin.exe
- OriginalFileName: WBADMIN.EXE
selection3_cli:
CommandLine|contains:
- unbounded
- /MaxSize=
CommandLine|contains|all:
- resize
- shadowstorage
selection3_img:
- Image|endswith: \vssadmin.exe
- OriginalFileName: VSSADMIN.EXE