drop system or security evtx csv · detect vss deletion commands · identify shadow copy destruction patterns · correlate with ransomware or anti-forensic activity · surface which deletion method was used · runs locally
evtx csv
drop security · system · powershell · 4688 evtx csv (multi-file)
or click
vssadmin delete shadows · wmic shadowcopy · bcdedit recovery · wbadmin · diskshadow · powershell WMI/CIM · events 524 · 753 · 7036
drop security · system · powershell evtx csv · 4688 process creation