{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/volume-shadow-copy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["impact","windows","powershell","volume shadow copy","ransomware"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently delete volume shadow copies (VSS) to prevent victims from recovering their data after a ransomware attack or other destructive event. This tactic involves using legitimate system administration tools like PowerShell to remove shadow copies, which are essentially snapshots of data volumes at a specific point in time. This activity is often performed in tandem with ransomware deployment or other destructive actions, making it a critical indicator of potential malicious activity. This rule identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system (e.g., via phishing or exploit).\u003c/li\u003e\n\u003cli\u003eAttacker executes PowerShell with elevated privileges.\u003c/li\u003e\n\u003cli\u003ePowerShell is used to enumerate shadow copies using \u003ccode\u003eGet-WmiObject\u003c/code\u003e (gwmi) or \u003ccode\u003eGet-CimInstance\u003c/code\u003e (gcim) and the \u003ccode\u003eWin32_ShadowCopy\u003c/code\u003e class.\u003c/li\u003e\n\u003cli\u003eThe attacker filters the shadow copies to be deleted, potentially targeting all available copies.\u003c/li\u003e\n\u003cli\u003ePowerShell executes the deletion of shadow copies using \u003ccode\u003e.Delete()\u003c/code\u003e, \u003ccode\u003eRemove-WmiObject\u003c/code\u003e (rwmi), or \u003ccode\u003eRemove-CimInstance\u003c/code\u003e (rcim) methods.\u003c/li\u003e\n\u003cli\u003eThe system\u0026rsquo;s recovery options are significantly reduced or eliminated.\u003c/li\u003e\n\u003cli\u003eRansomware is deployed, encrypting files.\u003c/li\u003e\n\u003cli\u003eVictim is unable to restore from shadow copies, increasing the likelihood of paying the ransom.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of volume shadow copies significantly hinders or eliminates data recovery options for victims of ransomware or other destructive attacks. This can lead to substantial data loss, prolonged downtime, and increased financial impact, potentially forcing victims to pay ransoms. Organizations without viable backups may face critical business disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Volume Shadow Copy Deletion via PowerShell\u003c/code\u003e to your SIEM to detect this behavior.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line auditing to ensure proper logging of PowerShell activity for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution for commands targeting \u003ccode\u003eWin32_ShadowCopy\u003c/code\u003e with deletion methods based on the Sigma rule\u0026rsquo;s logic.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, prioritizing those with unusual parent processes or user contexts as described in the rule\u0026rsquo;s false positive analysis.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for administrative accounts to limit the ability of attackers to execute PowerShell commands related to shadow copy deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:36:55Z","date_published":"2026-05-12T15:36:55Z","id":"https://feed.craftedsignal.io/briefs/2026-05-volume-shadow-copy-deletion/","summary":"Detects the use of PowerShell to delete volume shadow copies, a tactic commonly employed by ransomware and other destructive attacks to hinder data recovery efforts.","title":"Volume Shadow Copy Deletion via PowerShell","url":"https://feed.craftedsignal.io/briefs/2026-05-volume-shadow-copy-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Volume Shadow Copy","version":"https://jsonfeed.org/version/1.1"}