Create Volume Shadow Copy with Powershell

calendar Jan 27, 2023 · attack.credential_access attack.t1003.003  ·
Share on: linkedin copy

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

Sigma rule (View on GitHub)

 1title: Create Volume Shadow Copy with Powershell
 2id: afd12fed-b0ec-45c9-a13d-aa86625dac81
 3status: test
 4description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
 5references:
 6    - https://attack.mitre.org/datasources/DS0005/
 7    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
 8author: frack113
 9date: 2022/01/12
10tags:
11    - attack.credential_access
12    - attack.t1003.003
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection:
19        ScriptBlockText|contains|all:
20            - win32_shadowcopy
21            - ').Create('
22            - ClientAccessible
23    condition: selection
24falsepositives:
25    - Legitimate PowerShell scripts
26level: high

References

  • WMI, Data Source DS0005 | MITRE ATT&CK®

    Enterprise T1546 Event Triggered Execution Monitor for newly constructed WMI Objects that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on...


    Read More

  • Get-WmiObject (Microsoft.PowerShell.Management) - PowerShell

    Starting in PowerShell 3.0, this cmdlet has been superseded by Get-CimInstance. The Get-WmiObject cmdlet gets instances of WMI classes or information about the available WMI classes. To specify a remote computer, use the ComputerName parameter. If the List parameter is specified, the cmdlet gets information about the WMI classes that are available in a specified namespace. If the Query parameter is specified, the cmdlet runs a WMI query language (WQL) statement. The Get-WmiObject cmdlet does not use Windows PowerShell remoting to perform remote operations. You can use the ComputerName parameter of the Get-WmiObject cmdlet even if your computer does not meet the requirements for Windows PowerShell remoting or is not configured for remoting in Windows PowerShell. Beginning in Windows PowerShell 3.0, the __Server property of the object that Get-WmiObject returns has a PSComputerName alias. This makes it easier to include the source computer name in output and reports.


    Read More

Related rules

to-top