heroui logo

Delete Volume Shadow Copies via WMI with PowerShell - PS Script

Sigma Rules

View Source
Summary
This rule aims to detect the deletion of Windows Volume Shadow Copies through PowerShell scripting by leveraging Windows Management Instrumentation (WMI). It specifically searches for script block calls that include ‘Get-WmiObject’, ‘Win32_ShadowCopy’, and ‘.Delete()’ within PowerShell scripts. The deletion of shadow copies is a technique commonly used by ransomware such as Sodinokibi/REvil to eliminate recovery options for victims. The rule's configuration requires PowerShell Script Block Logging to be enabled to facilitate the capture of detailed command execution, which is critical for identifying this malicious behavior promptly. While the threat level is high due to the potential for significant data loss, false positives may occur and are currently marked as unknown based on the usage scenarios of legitimate system administration activities.
Categories
  • Endpoint
  • Windows
Data Sources
  • Script
  • WMI
ATT&CK Techniques
  • T1490
Created: 2021-12-26