Windows WMIC Shadowcopy Delete

name: Windows WMIC Shadowcopy Delete
id: 0a8c4b26-a4e2-4ef1-b0d9-62af6d36bdc8
version: 5
creation_date: '2025-03-18'
modification_date: '2026-05-13'
author: Michael Haag, AJ King, Splunk
status: production
type: Anomaly
description: This analytic detects the use of WMIC to delete volume shadow copies, which is a common technique used by ransomware actors to prevent system recovery. Ransomware like Cactus often delete shadow copies before encrypting files to ensure victims cannot recover their data without paying the ransom. This behavior is particularly concerning as it indicates potential ransomware activity or malicious actors attempting to prevent system recovery.
data_source:
    - Sysmon EventID 1
search: |-
    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe Processes.process = "*shadowcopy*" Processes.process = "*delete*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
    Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
    Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
    Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
    Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmic_shadowcopy_delete_filter`
how_to_implement: This detection requires Sysmon logging with Event ID 1 (Process Create) enabled. The logs must be processed using the appropriate Splunk Technology Add-ons and mapped to the Endpoint.Processes data model. Ensure that command-line arguments are being logged and that the appropriate permissions are in place to capture this data.
known_false_positives: Legitimate system maintenance or backup operations may occasionally delete shadow copies. However, this activity should be rare and typically performed through approved administrative tools rather than direct WMIC commands. Tune and modify the search to fit your environment, enable as TTP.
references:
    - https://any.run/malware-trends/cactus
    - https://attack.mitre.org/techniques/T1490/
drilldown_searches:
    - name: View the detection results for - "$dest$" and "$process_name$"
      search: '%original_detection_search% | search dest = "$dest$" process_name = "$process_name$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$" and "$process_name$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$process_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: A WMIC command, $process_name$, was detected attempting to delete volume shadow copies spawned off of $parent_process_name$ on $dest$. This is a common ransomware technique used to prevent system recovery.
threat_objects:
    - field: parent_process_name
      type: parent_process_name
    - field: process_name
      type: process_name
analytic_story:
    - Cactus Ransomware
    - Volt Typhoon
    - Suspicious WMI Use
asset_type: Endpoint
mitre_attack_id:
    - T1490
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/shadowcopy_del/wmicshadowcopydelete_sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit