Skip to content

<<< Hide Navigation Hide TOC >>>

Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script (c1337eb8-921a-4b59-855b-4ba188ddcc42)

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Galaxy ColorsSigma-Rule...Attack Pat...
Rows: 1
Loading extensions...
Collapse filters
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.2

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Cluster A Galaxy A Cluster B Galaxy B Level
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script (c1337eb8-921a-4b59-855b-4ba188ddcc42) Sigma-Rules Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern 1