Create Volume Shadow Copy with Powershell

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

Sigma rule (View on GitHub)

 1title: Create Volume Shadow Copy with Powershell
 2id: afd12fed-b0ec-45c9-a13d-aa86625dac81
 3status: test
 4description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
 5references:
 6    - https://attack.mitre.org/datasources/DS0005/
 7    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
 8author: frack113
 9date: 2022/01/12
10tags:
11    - attack.credential_access
12    - attack.t1003.003
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection:
19        ScriptBlockText|contains|all:
20            - Win32_ShadowCopy
21            - ').Create('
22            - ClientAccessible
23    condition: selection
24falsepositives:
25    - Legitimate PowerShell scripts
26level: high

References

Related rules

to-top