Attack Chain

1. Attacker gains initial access to the system (e.g., via phishing or exploit).
2. Attacker executes PowerShell with elevated privileges.
3. PowerShell is used to enumerate shadow copies using Get-WmiObject (gwmi) or Get-CimInstance (gcim) and the Win32_ShadowCopy class.
4. The attacker filters the shadow copies to be deleted, potentially targeting all available copies.
5. PowerShell executes the deletion of shadow copies using .Delete(), Remove-WmiObject (rwmi), or Remove-CimInstance (rcim) methods.
6. The system’s recovery options are significantly reduced or eliminated.
7. Ransomware is deployed, encrypting files.
8. Victim is unable to restore from shadow copies, increasing the likelihood of paying the ransom.

Impact

Successful deletion of volume shadow copies significantly hinders or eliminates data recovery options for victims of ransomware or other destructive attacks. This can lead to substantial data loss, prolonged downtime, and increased financial impact, potentially forcing victims to pay ransoms. Organizations without viable backups may face critical business disruptions.

Recommendation

• Deploy the Sigma rule Detect Volume Shadow Copy Deletion via PowerShell to your SIEM to detect this behavior.
• Enable Sysmon process creation logging with command line auditing to ensure proper logging of PowerShell activity for the Sigma rule.
• Monitor PowerShell execution for commands targeting Win32_ShadowCopy with deletion methods based on the Sigma rule’s logic.
• Investigate any alerts generated by the Sigma rule, prioritizing those with unusual parent processes or user contexts as described in the rule’s false positive analysis.
• Implement strict access controls and monitoring for administrative accounts to limit the ability of attackers to execute PowerShell commands related to shadow copy deletion.