Delete Volume Shadow Copies via WMI with PowerShell - PS Script (e17121b4-ef2a-4418-8a59-12fb1631fa9e)

Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Delete Volume Shadow Copies via WMI with PowerShell - PS Script (e17121b4-ef2a-4418-8a59-12fb1631fa9e)	Sigma-Rules	Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	1