Create Volume Shadow Copy with Powershell
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
Sigma rule (View on GitHub)
1title: Create Volume Shadow Copy with Powershell
2id: afd12fed-b0ec-45c9-a13d-aa86625dac81
3status: test
4description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
5references:
6 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
7author: frack113
8date: 2022-01-12
9tags:
10 - attack.credential-access
11 - attack.t1003.003
12 - attack.ds0005
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains|all:
20 - Win32_ShadowCopy
21 - ').Create('
22 - ClientAccessible
23 condition: selection
24falsepositives:
25 - Legitimate PowerShell scripts
26level: high
References
Related rules
- Transferring Files with Credential Data via Network Shares
- Esentutl Gather Credentials
- Sensitive File Dump Via Wbadmin.EXE
- Sensitive File Recovery From Backup Via Wbadmin.EXE
- Cred Dump Tools Dropped Files