Skip to main content
Splunk Lantern

Shadow copies deleted

The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. WMIC is a software utility that allows users to perform Windows Management Instrumentation operations with a command prompt. This search looks for either of these tools being used to delete shadow copies, which are backups of your files and volumes.

Data required 

Endpoint data

Procedure

  1. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation. To run this search, your deployment needs to be ingesting endpoint data that tracks process activity, including parent-child relationships, from your endpoints to populate the Endpoint data model in the Processes node. The command line arguments are mapped to the "process" field in the Endpoint data model.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats allow_old_summaries=true count, values("Processes.process") AS process, values("Processes.parent_process") AS parent_process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=vssadmin.exe OR "Processes.process_name"=wmic.exe) "Processes.process"=*delete* "Processes.process"=*shadow*) BY "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats allow_old_summaries=true count, values("Processes.process") AS process, values("Processes.parent_process") AS parent_process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=vssadmin.exe OR "Processes.process_name"=wmic.exe) "Processes.process"=*delete* "Processes.process"=*shadow*) BY "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest"  Query the Endpoint.Processes data model object to search for shadow copies being deleted through the vssadmin.exe or wmic.exe utilities. Sort first by user, then process name, parent process name, and destination.
| rename "Processes.*" AS "*"  Rename data model fields for better readability.
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Convert these times into readable strings.

Next steps

False positives in this search may occur since vssadmin.exe and wmic.exe are standard applications shipped with modern versions of Windows and may be used by administrators to legitimately delete old backup copies, although this is typically rare.

If you receive clear positive results from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.

Another ransomware tactic you may want to search for is attackers using wmic.exe to launch processes on remote systems.

Finally, you might be interested in other processes associated with the Detecting a ransomware attack use case.