Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.
Rule type: eql
Risk score: 73
Runs every: 5m
Maximum alerts per execution: 100
- Threat Detection
Rule license: Elastic License v2
process where event.type in ("start", "process_started") and event.action == "start" and (process.name : "vssadmin.exe" or process.pe.original_file_name == "VSSADMIN.EXE") and process.args in ("delete", "resize") and process.args : "shadows*"
Framework: MITRE ATT&CKTM