Shadow Copy Deletion via VSS Tools — Basic Detection
Basic detection of VSS shadow copy deletion via vssadmin, wmic, or PowerShell. Backup deletion is the single most reliable ransomware precursor and should generate an immediate alert in any SOC environment regardless of other context.
Malwareransomwarevssshadow-copybackup-deletiont1490T1490
FDR Beginnerby darkreitor 2 min read
Query
// ──────────────────────────────────────────────────────────
// Shadow Copy Deletion Detection — Beginner Tier
//
// VSS shadow copy deletion is the single most reliable ransomware
// precursor in endpoint telemetry. Any match here warrants
// immediate escalation regardless of other context.
//
// Covers three common deletion methods:
// 1. vssadmin delete shadows (most common, most obvious)
// 2. wmic shadowcopy delete (slightly stealthier)
// 3. PowerShell Get-WmiObject + Remove-WmiObject (stealthiest)
// 4. bcdedit /set recoveryenabled no (boot recovery disable)
// ──────────────────────────────────────────────────────────
#event_simpleName=ProcessRollup2
event_platform=Win
// Filter to the three binaries used for VSS management
// bcdedit is included separately — disables Windows Recovery Environment
| FileName=/^(vssadmin\.exe|wmic\.exe|powershell\.exe|bcdedit\.exe)$/i
// Match command line patterns for shadow copy deletion
// Regex covers the four most common attacker approaches
| CommandLine=/(vssadmin.*delete\s+shadows|shadowcopy\s+delete|Win32_ShadowCopy.*Remove|recoveryenabled\s+no)/i
// No aggregation — every single event is a high-confidence alert
// Output raw events for immediate analyst review and escalation
| table([@timestamp, ComputerName, UserName, FileName, CommandLine])
| sort(@timestamp, order=desc)
| head(500)Explanation
| Pipe | Descripción | ||||
|---|---|---|---|---|---|
#event_simpleName=ProcessRollup2 / event_platform=Win | Scopes to Windows process creation events only — VSS is a Windows-only feature. This is the narrowest possible starting point for this detection. | ||||
| `\ | FileName=/^(vssadmin\.exe\ | wmic\.exe\ | powershell\.exe\ | bcdedit\.exe)$/i` | Limits to the four binaries that manage VSS/recovery configuration. Regex anchors (^ and $) prevent partial-name matches against similarly named binaries. |
| `\ | CommandLine=/(vssadmin.*delete\s+shadows\ | shadowcopy\s+delete\ | Win32_ShadowCopy.*Remove\ | recoveryenabled\s+no)/i` | The signal filter: requires the command line to explicitly reference shadow copy deletion or boot recovery disabling. Eliminates false positives from legitimate vssadmin list or wmic query usage. |
| `\ | table([@timestamp, ComputerName, UserName, FileName, CommandLine])` | Raw event output — no groupBy or aggregation. Every matching event is a high-confidence alert requiring immediate review. @timestamp enables rapid timeline reconstruction during IR. | |||
| `\ | sort(@timestamp, order=desc) \ | head(500)` | Most recent events first. head(500) provides a large buffer — in a ransomware incident, you may see dozens of deletion attempts in rapid succession across multiple hosts. |
Adjustable Variables
head(500) cap: increase to head(max) during active incident response to see the full scope of deletion events. Add ComputerName=<hostname> before the FileName filter to scope to a single endpoint during triage. Extend CommandLine regex with wbadmin.*delete to catch Windows Server Backup deletion as well.