Create Volume Shadow Copy with Powershell

calendar Aug 14, 2025 · attack.credential-access attack.t1003.003 attack.ds0005  ·
Share on: linkedin copy

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

Sigma rule (View on GitHub)

 1title: Create Volume Shadow Copy with Powershell
 2id: afd12fed-b0ec-45c9-a13d-aa86625dac81
 3status: test
 4description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
 5references:
 6    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
 7author: frack113
 8date: 2022-01-12
 9tags:
10    - attack.credential-access
11    - attack.t1003.003
12    - attack.ds0005
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection:
19        ScriptBlockText|contains|all:
20            - Win32_ShadowCopy
21            - ').Create('
22            - ClientAccessible
23    condition: selection
24falsepositives:
25    - Legitimate PowerShell scripts
26level: high

References

  • Get-WmiObject (Microsoft.PowerShell.Management) - PowerShell

    Starting in PowerShell 3.0, this cmdlet has been superseded by Get-CimInstance. The Get-WmiObject cmdlet gets instances of WMI classes or information about the available WMI classes. To specify a remote computer, use the ComputerName parameter. If the List parameter is specified, the cmdlet gets information about the WMI classes that are available in a specified namespace. If the Query parameter is specified, the cmdlet runs a WMI query language (WQL) statement. The Get-WmiObject cmdlet does not use Windows PowerShell remoting to perform remote operations. You can use the ComputerName parameter of the Get-WmiObject cmdlet even if your computer does not meet the requirements for Windows PowerShell remoting or is not configured for remoting in Windows PowerShell. Beginning in Windows PowerShell 3.0, the __Server property of the object that Get-WmiObject returns has a PSComputerName alias. This makes it easier to include the source computer name in output and reports.


    Read More

Related rules

to-top