← Back to Explore
sigmahighHunting
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Detection Query
selection_get:
ScriptBlockText|contains:
- Get-WmiObject
- gwmi
- Get-CimInstance
- gcim
selection_shadowcopy:
ScriptBlockText|contains: Win32_ShadowCopy
selection_delete:
ScriptBlockText|contains:
- .Delete()
- Remove-WmiObject
- rwmi
- Remove-CimInstance
- rcim
condition: all of selection*
Author
Tim Rauch, frack113
Created
2022-09-20
Data Sources
windowsps_script
Platforms
windows
References
Tags
attack.impactattack.t1490
Raw Content
title: Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
id: c1337eb8-921a-4b59-855b-4ba188ddcc42
related:
- id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
type: derived
- id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40
type: similar
status: test
description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
- https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
author: Tim Rauch, frack113
date: 2022-09-20
modified: 2022-12-02
tags:
- attack.impact
- attack.t1490
logsource:
category: ps_script
product: windows
detection:
selection_get:
ScriptBlockText|contains:
- 'Get-WmiObject'
- 'gwmi'
- 'Get-CimInstance'
- 'gcim'
selection_shadowcopy:
ScriptBlockText|contains: 'Win32_ShadowCopy'
selection_delete:
ScriptBlockText|contains:
- '.Delete()'
- 'Remove-WmiObject'
- 'rwmi'
- 'Remove-CimInstance'
- 'rcim'
condition: all of selection*
falsepositives:
- Unknown
level: high