Volume Shadow Copy Deletion via PowerShelledit

Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Impact

Version: 2

Added (Elastic Stack release): 7.16.0

Last modified (Elastic Stack release): 7.16.0

Rule authors: Elastic, Austin Songer

Rule license: Elastic License v2

Rule queryedit

process where event.type in ("start", "process_started") and
process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
and process.args : ("*Get-WmiObject*", "*gwmi*", "*Get-
CimInstance*", "*gcim*") and process.args : ("*Win32_ShadowCopy*")
and process.args : ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*",
"*Remove-CimInstance*", "*rcim*")

Threat mappingedit