VSS Shadow Copy Deletion - Basic Ransomware Pre-Encryption Indicator
Detects deletion of Windows Volume Shadow Copies via vssadmin.exe or wmic.exe, the most universally performed ransomware preparation step executed by virtually all modern ransomware families including WannaCry, ALPHV, Play, LockBit, and Akira to eliminate local snapshot recovery options before encrypting files — essential beginner detection for any Windows endpoint monitoring program
EDRshadow-copyvssadminransomwareinhibit-recoveryT1490
FDR Beginnerby darkreitor 1 min read
Query
#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(vssadmin\.exe|wmic\.exe)/
| CommandLine=/(?i)(delete\s+shadows|shadowcopy.*delete)/
| groupBy([ComputerName, UserName, FileName, CommandLine])
| sort(@timestamp, order=desc, limit=25)Explanation
| Pipe | Descripción | |
|---|---|---|
#repo="base_sensor" #event_simpleName=ProcessRollup2 | Queries FDR base sensor repository for ProcessRollup2 process execution events across all monitored Windows endpoints | |
| `FileName=/(?i)(vssadmin\.exe\ | wmic\.exe)/` | Matches the two most commonly used shadow copy deletion tools: vssadmin.exe (dedicated VSS management utility) and wmic.exe (WMI command-line used with shadowcopy delete syntax by many ransomware families) |
| `CommandLine=/(?i)(delete\s+shadows\ | shadowcopy.*delete)/` | Case-insensitive match for shadow deletion command arguments — covers both 'vssadmin delete shadows /all /quiet' and 'wmic shadowcopy delete' syntax variations used across ransomware families |
groupBy([ComputerName, UserName, FileName, CommandLine]) | Groups results by hostname, user account, tool name, and full command line for easy analyst review and host-level correlation | |
sort(@timestamp, order=desc, limit=25) | Returns 25 most recent matches ordered newest first for immediate SOC triage and incident scoping |
Adjustable Variables
Increase limit (default 25) for larger environments. Expand coverage by adding wbadmin.exe and bcdedit.exe patterns for backup catalog deletion and boot recovery disablement. Narrow scope with ComputerName or UserName field filters when investigating a specific incident or host group.