Ali Hadi | B!n@ry

I still have not found the answer to this and it would be great use to so many if there is an answer.

What is the Event ID for when a Volume Shadow Copy gets deleted? I know #Sysmon can show you this, but is there anything else? #DFIR #DigitalForensics #SOC #SIEM #BlueTeam #malware

Dec 19, 2022 at 1:29amWeb
Show threadDoug MetzDec 19, 2022
@dfir best I’ve been able to find so far is tied to 4868. https://car.mitre.org/analytics/CAR-2021-01-009/. Labworthy.
CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize

Cyber Analytics Repository

MITRE Cyber Analytics Repository
Show threadAli Hadi | B!n@ryDec 19, 2022
@dwmetz Yes, I've checked these before and there is currently no such event; haven't been able to see it. The #Sysmon one does exist, but I want to see what else is there, because what if we don't have Sysmon on the endpoint! Thanks Doug!
Show threadFluffy Destroyer of WorldsDec 19, 2022
@dfir according to https://car.mitre.org/analytics/CAR-2021-01-009/ it’s a mixture of things (4688 under Security, 5857/5858 in WMI-Activity), separate from 25 which is “deleted for lack of space”
CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize

Cyber Analytics Repository

MITRE Cyber Analytics Repository
Show threadAli Hadi | B!n@ryDec 19, 2022
@salm Unfortunately, I was unable to see those with all my testing, except the Sysmon one which I'm trying to avoid. The EID #25 is not found either on Windows 10 (system I'm testing on). Thanks Fluffy!