Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0933: Analytic 0933

Process chains that use native utilities (vssadmin, wbadmin, diskshadow, bcdedit, REAgentC, wmic) with arguments to delete shadow copies, disable recovery, or remove backup catalogs

EnterpriseAN0933AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic focuses on Windows process chains where built-in utilities are used with arguments associated with deleting shadow copies, disabling recovery, or removing backup catalogs. For leaders, the practical issue is resilience: if recovery artifacts are removed or disabled, restoration options during an incident may be reduced. The value of this analytic is to verify whether the SOC can see and investigate suspicious use of native Windows recovery and backup administration tools before an outage or destructive event becomes harder to recover from.

Executive priority

Treat this as a business-continuity and incident-readiness control check. Security leaders should ask whether endpoint and process telemetry can show use of vssadmin, wbadmin, diskshadow, bcdedit, REAgentC, and wmic with recovery-impacting arguments, and whether those alerts are tied to response playbooks that validate backup integrity and recovery posture. Because ATT&CK supplies no tactic or relationship context here, prioritize this as a defensive visibility and resilience validation rather than as evidence of any specific adversary activity.

Technical view

For Windows environments, validate detection logic around process creation and process-chain context for native utilities named in the analytic: vssadmin, wbadmin, diskshadow, bcdedit, REAgentC, and wmic. The analytic scope is argument patterns associated with deleting shadow copies, disabling recovery, or removing backup catalogs. SOC and IR teams should confirm they can capture command-line arguments, parent and child process relationships, user context, host identity, and timestamps. Since no official detection text or related ATT&CK techniques are supplied, local tuning should distinguish legitimate administrative backup/recovery operations from unusual execution context, unexpected initiators, or activity outside approved change windows.

Likely telemetry

  • Windows process creation events
  • Command-line argument logging for native utilities
  • Parent-child process relationship data
  • User and logon context for the process
  • Host and asset criticality context

Detection direction

  • Validate that process command lines are collected for vssadmin, wbadmin, diskshadow, bcdedit, REAgentC, and wmic on Windows systems.
  • Tune for arguments associated with deleting shadow copies, disabling recovery, or removing backup catalogs, while accounting for approved backup administration and maintenance workflows.
  • Correlate suspicious utility use with parent process, user account, endpoint role, and timing to reduce false positives from legitimate administrators.
  • Prioritize alerts on critical servers, backup infrastructure, domain administration workstations, and systems with high recovery-time importance where local asset context is available.
  • Review blind spots where command-line logging, process ancestry, or endpoint telemetry is incomplete, because the supplied analytic depends heavily on those evidence classes.

Mitigation priorities

  • Ensure backup and recovery operations are governed by approved administrative processes and change control.
  • Restrict and monitor privileged use of Windows recovery and backup utilities according to role need.
  • Validate that recovery artifacts and backup catalogs are protected by operational controls outside normal endpoint administration where possible.
  • Test incident response playbooks for rapid triage of recovery-disabling activity and escalation to backup owners.
  • Use this analytic as evidence for resilience and compliance readiness by documenting telemetry coverage, alert logic, tuning decisions, and response procedures.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows native utility usage affecting shadow copies, recovery configuration, or backup catalogs. No tactics, relationships, groups, software, or official detection procedure are provided, so the strongest use is as a coverage-validation prompt for SOC, IR, endpoint logging, and business-continuity teams.

This take is limited to the official fields supplied. ATT&CK does not provide detection logic, tactic mapping, relationship context, or evidence of active exploitation for this object. Local environment knowledge is required to determine legitimate administrative baselines, alert severity, and response actions.

Official MITRE ATT&CK definition

Analytic 0933

Process chains that use native utilities (vssadmin, wbadmin, diskshadow, bcdedit, REAgentC, wmic) with arguments to delete shadow copies, disable recovery, or remove backup catalogs

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
dc5eb8f67f835730...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle dc5eb8f67f83…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0933
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use