Volume Shadow Copy Deletion via PowerShell

Attackers frequently delete volume shadow copies (VSS) to prevent victims from recovering their data after a ransomware attack or other destructive event. This tactic involves using legitimate system administration tools like PowerShell to remove shadow copies, which are essentially snapshots of data volumes at a specific point in time. This activity is often performed in tandem with ransomware deployment or other destructive actions, making it a critical indicator of potential malicious activity. This rule identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion.

Attack Chain

1. Attacker gains initial access to the system (e.g., via phishing or exploit).
2. Attacker executes PowerShell with elevated privileges.
3. PowerShell is used to enumerate shadow copies using Get-WmiObject (gwmi) or Get-CimInstance (gcim) and the Win32_ShadowCopy class.
4. The attacker filters the shadow copies to be deleted, potentially targeting all available copies.
5. PowerShell executes the deletion of shadow copies using .Delete(), Remove-WmiObject (rwmi), or Remove-CimInstance (rcim) methods.
6. The system’s recovery options are significantly reduced or eliminated.
7. Ransomware is deployed, encrypting files.
8. Victim is unable to restore from shadow copies, increasing the likelihood of paying the ransom.

Impact

Successful deletion of volume shadow copies significantly hinders or eliminates data recovery options for victims of ransomware or other destructive attacks. This can lead to substantial data loss, prolonged downtime, and increased financial impact, potentially forcing victims to pay ransoms. Organizations without viable backups may face critical business disruptions.

Recommendation

• Deploy the Sigma rule Detect Volume Shadow Copy Deletion via PowerShell to your SIEM to detect this behavior.
• Enable Sysmon process creation logging with command line auditing to ensure proper logging of PowerShell activity for the Sigma rule.
• Monitor PowerShell execution for commands targeting Win32_ShadowCopy with deletion methods based on the Sigma rule’s logic.
• Investigate any alerts generated by the Sigma rule, prioritizing those with unusual parent processes or user contexts as described in the rule’s false positive analysis.
• Implement strict access controls and monitoring for administrative accounts to limit the ability of attackers to execute PowerShell commands related to shadow copy deletion.