<<< Hide Navigation Hide TOC >>>
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script (c1337eb8-921a-4b59-855b-4ba188ddcc42)
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Cluster A![]() |
Galaxy A![]() |
Cluster B![]() |
Galaxy B![]() |
Level![]() |
---|---|---|---|---|
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script (c1337eb8-921a-4b59-855b-4ba188ddcc42) | Sigma-Rules | Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) | Attack Pattern | 1 |