Symbolic Link to Shadow Copy Created
Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/12/25"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/11/02"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic", "Austin Songer"]
11description = """
12Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow
13copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.
14"""
15false_positives = ["Legitimate administrative activity related to shadow copies."]
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-windows.forwarded*",
21 "logs-windows.sysmon_operational-*",
22 "endgame-*",
23 "logs-system.security*",
24 "logs-m365_defender.event-*",
25 "logs-sentinel_one_cloud_funnel.*",
26 "logs-crowdstrike.fdr*",
27]
28language = "eql"
29license = "Elastic License v2"
30name = "Symbolic Link to Shadow Copy Created"
31note = """## Triage and analysis
32
33### Investigating Symbolic Link to Shadow Copy Created
34
35Shadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.
36
37#### Possible investigation steps
38
39- Identify the user account that performed the action and whether it should perform this kind of action.
40- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
41- Investigate other alerts associated with the user/host during the past 48 hours.
42- Determine if a volume shadow copy was recently created on this endpoint.
43- Review privileges of the end user as this requires administrative access.
44- Verify if the ntds.dit file was successfully copied and determine its copy destination.
45- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.
46- Investigate recent deletions of volume shadow copies.
47- Identify other files potentially copied from volume shadow copy paths directly.
48
49### False positive analysis
50
51- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.
52
53### Related rules
54
55- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f
56
57### Response and remediation
58
59- Initiate the incident response process based on the outcome of the triage.
60- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
61- If the entire domain or the `krbtgt` user was compromised:
62 - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.
63- Locate and remove static files copied from volume shadow copies.
64- Command-Line tool mklink should require administrative access by default unless in developer mode.
65- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
66- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
67- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
68"""
69references = [
70 "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink",
71 "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf",
72 "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/",
73 "https://www.hackingarticles.in/credential-dumping-ntds-dit/",
74]
75risk_score = 47
76rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0"
77setup = """## Setup
78
79Ensure advanced audit policies for Windows are enabled, specifically:
80Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > System Audit Policies > Object Access > Audit File System (Success,Failure) Audit Handle Manipulation (Success,Failure)
1
2This event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.
3Direct access to a shell and calling symbolic link creation tools will not generate an event matching this rule.
4"""
5severity = "medium"
6tags = [
7 "Domain: Endpoint",
8 "OS: Windows",
9 "Use Case: Threat Detection",
10 "Tactic: Credential Access",
11 "Resources: Investigation Guide",
12 "Data Source: Elastic Endgame",
13 "Data Source: Elastic Defend",
14 "Data Source: System",
15 "Data Source: Microsoft Defender for Endpoint",
16 "Data Source: Sysmon",
17 "Data Source: SentinelOne",
18 "Data Source: Crowdstrike",
19]
20timestamp_override = "event.ingested"
21type = "eql"
22
23query = '''
24process where host.os.type == "windows" and event.type == "start" and
25 (
26 (?process.pe.original_file_name in ("Cmd.Exe","PowerShell.EXE")) or
27 (process.name : ("cmd.exe", "powershell.exe"))
28 ) and
29
30 /* Create Symbolic Link to Shadow Copies */
31 process.args : ("*mklink*", "*SymbolicLink*") and process.command_line : ("*HarddiskVolumeShadowCopy*")
32'''
33
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1003"
39name = "OS Credential Dumping"
40reference = "https://attack.mitre.org/techniques/T1003/"
41[[rule.threat.technique.subtechnique]]
42id = "T1003.002"
43name = "Security Account Manager"
44reference = "https://attack.mitre.org/techniques/T1003/002/"
45
46[[rule.threat.technique.subtechnique]]
47id = "T1003.003"
48name = "NTDS"
49reference = "https://attack.mitre.org/techniques/T1003/003/"
50
51
52
53[rule.threat.tactic]
54id = "TA0006"
55name = "Credential Access"
56reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Investigating Symbolic Link to Shadow Copy Created
Shadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.
Possible investigation steps
- Identify the user account that performed the action and whether it should perform this kind of action.
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Determine if a volume shadow copy was recently created on this endpoint.
- Review privileges of the end user as this requires administrative access.
- Verify if the ntds.dit file was successfully copied and determine its copy destination.
- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.
- Investigate recent deletions of volume shadow copies.
- Identify other files potentially copied from volume shadow copy paths directly.
False positive analysis
- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.
Related rules
- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f
Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- If the entire domain or the
krbtgt
user was compromised:- Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the
krbtgt
user.
- Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the
- Locate and remove static files copied from volume shadow copies.
- Command-Line tool mklink should require administrative access by default unless in developer mode.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
References
Related rules
- Credential Acquisition via Registry Hive Dumping
- Microsoft IIS Connection Strings Decryption
- NTDS or SAM Database File Copied
- Potential Veeam Credential Access Command
- Remote File Download via Desktopimgdownldr Utility