Skip to content

Hide Navigation Hide TOC

Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script (c1337eb8-921a-4b59-855b-4ba188ddcc42)

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Cluster A Galaxy A Cluster B Galaxy B Level
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script (c1337eb8-921a-4b59-855b-4ba188ddcc42) Sigma-Rules Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern 1