legitimate system maintenance or backup operations may occasionally delete shadow copies. however, this activity should be rare and typically performed through approved administrative tools rather than direct wmic commands. tune and modify the search to fit your environment, enable as ttp.

Techniques

T1490

Sample rules

Windows WMIC Shadowcopy Delete

source: splunk
technicques:
- T1490

Description

This analytic detects the use of WMIC to delete volume shadow copies, which is a common technique used by ransomware actors to prevent system recovery. Ransomware like Cactus often delete shadow copies before encrypting files to ensure victims cannot recover their data without paying the ransom. This behavior is particularly concerning as it indicates potential ransomware activity or malicious actors attempting to prevent system recovery.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe Processes.process = "*shadowcopy*" Processes.process = "*delete*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_wmic_shadowcopy_delete_filter`