Volume Shadow Copy Deletion via VSSAdmin or WMIC (E8-08 Backups)

E8-08 — Regular Backups ML1 critical experimental
More E8-08 rules
Description
Detects deletion of Windows Volume Shadow Copies using vssadmin.exe, wmic.exe, or PowerShell. This is a near-universal step in ransomware deployment — removing VSS copies prevents recovery without paying the ransom. E8-08 (Regular Backups) is undermined entirely if shadow copies are deleted before the backup state is recognised as compromised.
Rule Source (Sigma YAML)
title: Volume Shadow Copy Deletion via VSSAdmin or WMIC (E8-08 Backups)
id: 5b12f946-5a70-4082-9159-583846e566c0
status: experimental
description: |
    Detects deletion of Windows Volume Shadow Copies using vssadmin.exe, wmic.exe,
    or PowerShell. This is a near-universal step in ransomware deployment — removing
    VSS copies prevents recovery without paying the ransom. E8-08 (Regular Backups)
    is undermined entirely if shadow copies are deleted before the backup state is
    recognised as compromised.
references:
    - https://attack.mitre.org/techniques/T1490/
    - https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
author: Roni Biju
date: 2026-03-02
modified: 2026-03-02
tags:
    - e8.control.08
    - e8.maturity.ml1
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_vssadmin:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains|all:
            - 'delete'
            - 'shadows'
    selection_wmic:
        Image|endswith: '\wmic.exe'
        CommandLine|contains|all:
            - 'shadowcopy'
            - 'delete'
    selection_powershell:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'Get-WmiObject Win32_Shadowcopy'
            - 'Get-CimInstance Win32_ShadowCopy'
        CommandLine|contains: 'Delete()'
    selection_wbadmin:
        Image|endswith: '\wbadmin.exe'
        CommandLine|contains|all:
            - 'delete'
            - 'catalog'
    condition: selection_vssadmin or selection_wmic or selection_powershell or selection_wbadmin
falsepositives:
    - Disk cleanup tools that manage shadow copy storage (Disk Cleanup wizard)
    - Backup software that rotates shadow copy snapshots
    - Administrative scripts managing disk space
level: critical
custom:
    e8_control: E8-08
    e8_maturity: ML1
    e8_bypass_technique: VSS deletion to prevent backup recovery (pre-ransomware)
    false_positive_rate: low
    tuning_notes: |
        This is a critical-priority rule. Very few legitimate operations delete
        ALL shadow copies. Consider automated containment (host isolation) on
        this alert in environments with SOAR capability.
        Correlate with high volume file rename events (.locked, .encrypted
        extensions) for ransomware confirmation.
Tuning Notes
This is a critical-priority rule. Very few legitimate operations delete ALL shadow copies. Consider automated containment (host isolation) on this alert in environments with SOAR capability. Correlate with high volume file rename events (.locked, .encrypted extensions) for ransomware confirmation.
E8 Control
E8-08
Min. Maturity
ML1
Severity
critical
FP Rate
low
Log Source
windows / process_creation
Rule ID
5b12f946-5a70-4082-9159-583846e566c0
File
rules/e8-08-backups/e8_08_shadow_copy_deletion.yml
Bypass Technique
VSS deletion to prevent backup recovery (pre-ransomware)
ATT&CK Techniques
attack.t1490
False Positives
  • Disk cleanup tools that manage shadow copy storage (Disk Cleanup wizard)
  • Backup software that rotates shadow copy snapshots
  • Administrative scripts managing disk space
Emulation Scripts
emulation/e8-08/Invoke-BackupBypassEmulation.ps1

Run in a Windows lab VM only. No real payload is executed.

References