Skip to content
Threat Feed
high advisory

VssAdmin Shadow Copy Deletion or Resize

The rule identifies the use of vssadmin.exe to delete or resize shadow copies on Windows endpoints, which is a common tactic used in ransomware attacks to prevent system recovery.

Attackers, especially those deploying ransomware, often delete or resize Volume Shadow Copies (VSS) to hinder system recovery and force victims to pay the ransom. This activity involves using vssadmin.exe with commands to delete or resize shadow storage, effectively removing a readily available recovery option for the victim. The Elastic rule published on 2020-02-18 and updated on 2026-04-07, detects such behavior by monitoring process executions for vssadmin.exe with specific arguments related to shadow copy deletion or resizing. The rule is designed to work with a variety of data sources including endpoint logs, Windows Security Event Logs, Sysmon, and data from security products like Microsoft Defender XDR, SentinelOne, and Crowdstrike.

Attack Chain

  1. The attacker gains initial access to the system through various means (e.g., phishing, exploit).
  2. The attacker escalates privileges to gain administrative access, which is required to manipulate VSS.
  3. The attacker executes vssadmin.exe to identify existing shadow copies.
  4. The attacker uses vssadmin.exe delete shadows /all /quiet command to delete all shadow copies.
  5. Alternatively, the attacker might use vssadmin.exe resize shadowstorage to significantly reduce the storage allocated for shadow copies, effectively crippling the VSS functionality.
  6. The attacker deploys ransomware, encrypting files on the system.
  7. The victim, now without readily available shadow copies, is left with limited recovery options and is more likely to pay the ransom.

Impact

Successful deletion or resizing of shadow copies significantly reduces the victim's ability to recover from ransomware attacks without paying the ransom. This tactic increases the likelihood of data loss, business disruption, and financial impact on the targeted organization. The number of victims varies based on the scope of the ransomware campaign, but it can range from individual machines to entire networks.

Recommendation

  • Deploy the "Volume Shadow Copy Deleted or Resized via VssAdmin" Sigma rule to your SIEM to detect this specific behavior, and tune for your environment.
  • Enable Sysmon process creation logging for event ID 1 to ensure the necessary data is available for the Sigma rule.
  • Investigate any alerts generated by the Sigma rule "Volume Shadow Copy Deleted or Resized via VssAdmin", paying close attention to the parent processes and user accounts involved.
  • Consider implementing application control policies to restrict the execution of vssadmin.exe to authorized users and processes only.

Detection coverage 2

VssAdmin Shadow Copy Deletion

high

Detects the execution of vssadmin.exe to delete shadow copies, a common ransomware tactic.

sigma tactics: impact techniques: T1490 sources: process_creation, windows

VssAdmin Shadow Storage Resize

medium

Detects the execution of vssadmin.exe to resize shadow storage, which could cripple VSS.

sigma tactics: impact techniques: T1490 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →