<<< Hide Navigation Hide TOC >>>

Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script (c1337eb8-921a-4b59-855b-4ba188ddcc42)

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Rows: 1

Loading extensions...

Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

---

TableFilter v0.7.2

https://www.tablefilter.com/
©2015-2025 Max Guglielmi

Close

?

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
	Clear Sigma-Rules		Clear Attack Pattern	Clear 1
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script (c1337eb8-921a-4b59-855b-4ba188ddcc42)	Sigma-Rules	Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	1