vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. they may be used by administrators to legitimately delete old backup copies, although this is typically rare.

t1490
endpoint
splunk

Techniques

T1490

Sample rules

Deleting Shadow Copies

source: splunk
technicques:
- T1490

Description

The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies.

Detection logic


| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) Processes.process=*delete* Processes.process=*shadow* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest  
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `deleting_shadow_copies_filter`