title: Delete Volume Shadow Copies Via WMI With PowerShell
id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
description: Shadow Copies deletion using operating systems utilities via PowerShell
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
    - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml
    - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
tags:
    - attack.impact
    - attack.t1490
status: experimental
author: frack113
date: 2021/06/03
logsource:
    product: windows
    service: powershell-classic
detection:
    selection_obj:
        CommandLine|contains|all:
            - 'Get-WmiObject'
            - ' Win32_Shadowcopy'
    selection_del:
        CommandLine|contains:
            - 'Delete()'
            - 'Remove-WmiObject'
    selection_eventid:
        EventID:
            - 400
            - 403
            - 600
    condition: selection_obj and selection_del and selection_eventid
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
level: critical