Detection rules › Sigma
Deletion of Volume Shadow Copies via WMI with PowerShell
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1490 Inhibit System Recovery |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: all of selection_get
or:
CommandLine|contains: Get-CimInstance
CommandLine|contains: Get-WmiObject
CommandLine|contains: gcim
CommandLine|contains: gwmi
Stage 2: all of selection_shadowcopy
CommandLine|contains: Win32_ShadowCopy
Stage 3: all of selection_delete
or:
CommandLine|contains: '.Delete()'
CommandLine|contains: Remove-CimInstance
CommandLine|contains: Remove-WmiObject
CommandLine|contains: rcim
CommandLine|contains: rwmi
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|