Volume Shadow Copy Deleted Using Vssadmin or Wmic

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

The Volume Shadow Copy Service (VSS) is a Windows feature that allows administrators to create backups and take snapshots of volumes in case of accidental deletion or system failures.

However, adversaries may abuse this feature by deleting VSS copies to evade detection or prevent the recovery of encrypted files. They may achieve this using commands such as wmic.exe and vssadmin.exe.

Impact:

It can impact the organizations in the following ways:

• Data loss prevention
• Operational disruption
• Hinderance in ransomware prevention

Data source:

Windows:

Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0040- Impact

Techniques: T1490- Inhibit System Recovery

Criteria:

( Process name ends with vssadmin.exe OR wmic.exe ) AND ( Command line contains shadow ) AND ( ( Command line contains "delete" ) OR ( Command line contains "resize" ) )

'vssasdmin.exe' or 'wmic.exe'- These are executable files used for managing volume shadow copies.

'delete' or 'resize'- These parameters are mostly used along with "vssadmin.exe" or "wmic.exe" commands to delete or resize VSS snapshots.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified when the volume shadow copies are deleted. This enables you to monitor the use of commands such as wmic.exe and vssadmin.exe.

Known false positives: This event may be generated by administrators to perform backups in case of accidental deletion.

Known false positives: Administrators may use Vssadmin or Wmic to perform routine administrative tasks such as to delete old backup copies, although it is quite rare to occur.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify the alert as a new incident or within an ongoing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Implement File Integrity Monitoring (FIM): Use FIM tools to track changes to Volume Shadow Copy files.