Query Details
Vssadmindelete
Query
name: Defense Evasion, Indicators Shadow Copy Deletion
description: Shadow Copies deletion using Vssadmin or Wmic
references: https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags: Defense Evasion, T1490,T1070
search_query:
(DeviceProcessEvents
| where FileName has_any ("vssadmin.exe","wmic.exe") and (ProcessCommandLine contains "shadow" and ProcessCommandLine contains "delete")
)
Notes:
Explanation
This query looks for instances where shadow copies are deleted using Vssadmin or Wmic in a Windows environment. It is related to Defense Evasion and the indicators are tagged as T1490 and T1070.
Details
Ali Hussein
Released: February 18, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,FileName,ProcessCommandLine
Operators
|wherehas_anycontains