VssAdmin Shadow Copy Deletion or Resize
The rule identifies the use of vssadmin.exe to delete or resize shadow copies on Windows endpoints, which is a common tactic used in ransomware attacks to prevent system recovery.
Attackers, especially those deploying ransomware, often delete or resize Volume Shadow Copies (VSS) to hinder system recovery and force victims to pay the ransom. This activity involves using vssadmin.exe with commands to delete or resize shadow storage, effectively removing a readily available recovery option for the victim. The Elastic rule published on 2020-02-18 and updated on 2026-04-07, detects such behavior by monitoring process executions for vssadmin.exe with specific arguments related to shadow copy deletion or resizing. The rule is designed to work with a variety of data sources including endpoint logs, Windows Security Event Logs, Sysmon, and data from security products like Microsoft Defender XDR, SentinelOne, and Crowdstrike.
Attack Chain
- The attacker gains initial access to the system through various means (e.g., phishing, exploit).
- The attacker escalates privileges to gain administrative access, which is required to manipulate VSS.
- The attacker executes
vssadmin.exeto identify existing shadow copies. - The attacker uses
vssadmin.exe delete shadows /all /quietcommand to delete all shadow copies. - Alternatively, the attacker might use
vssadmin.exe resize shadowstorageto significantly reduce the storage allocated for shadow copies, effectively crippling the VSS functionality. - The attacker deploys ransomware, encrypting files on the system.
- The victim, now without readily available shadow copies, is left with limited recovery options and is more likely to pay the ransom.
Impact
Successful deletion or resizing of shadow copies significantly reduces the victim's ability to recover from ransomware attacks without paying the ransom. This tactic increases the likelihood of data loss, business disruption, and financial impact on the targeted organization. The number of victims varies based on the scope of the ransomware campaign, but it can range from individual machines to entire networks.
Recommendation
- Deploy the "Volume Shadow Copy Deleted or Resized via VssAdmin" Sigma rule to your SIEM to detect this specific behavior, and tune for your environment.
- Enable Sysmon process creation logging for event ID 1 to ensure the necessary data is available for the Sigma rule.
- Investigate any alerts generated by the Sigma rule "Volume Shadow Copy Deleted or Resized via VssAdmin", paying close attention to the parent processes and user accounts involved.
- Consider implementing application control policies to restrict the execution of
vssadmin.exeto authorized users and processes only.
Detection coverage 2
VssAdmin Shadow Copy Deletion
highDetects the execution of vssadmin.exe to delete shadow copies, a common ransomware tactic.
VssAdmin Shadow Storage Resize
mediumDetects the execution of vssadmin.exe to resize shadow storage, which could cripple VSS.
Detection queries are available on the platform. Get full rules →