Create Volume Shadow Copy with Powershell
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
Sigma rule (View on GitHub)
1title: Create Volume Shadow Copy with Powershell
2id: afd12fed-b0ec-45c9-a13d-aa86625dac81
3status: test
4description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
5references:
6 - https://attack.mitre.org/datasources/DS0005/
7 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
8author: frack113
9date: 2022/01/12
10tags:
11 - attack.credential_access
12 - attack.t1003.003
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains|all:
20 - win32_shadowcopy
21 - ').Create('
22 - ClientAccessible
23 condition: selection
24falsepositives:
25 - Legitimate PowerShell scripts
26level: high
References
Related rules
- Transferring Files with Credential Data via Network Shares - Zeek
- NTDSutil Pulling of NTDS.dit File
- Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
- Possible Impacket SecretDump Remote Activity - Zeek
- Access to Browser Login Data