Conti Volume Shadow Listing

 1title: Conti Volume Shadow Listing
 2id: 7b30e0a7-c675-4b24-8a46-82fa67e2433d
 3status: test
 4description: Detects a command used by conti to find volume shadow backups
 5references:
 6    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
 7    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
 8author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
 9date: 2021/08/09
10tags:
11    - attack.t1587.001
12    - attack.resource_development
13    - detection.emerging_threats
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'vssadmin list shadows'
21            - 'log.txt'
22    condition: selection
23fields:
24    - User
25    - CommandLine
26    - ParentImage
27falsepositives:
28    - Unknown
29level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

Related rules

• VHD Image Download Via Browser
• ProxyLogon MSExchange OabVirtualDirectory
• APT PRIVATELOG Image Load Pattern
• APT27 - Emissary Panda Activity
• APT31 Judgement Panda Activity