VolumeShadowCopy Symlink Creation Via Mklink
Shadow Copies storage symbolic link creation using operating systems utilities
Sigma rule (View on GitHub)
1title: VolumeShadowCopy Symlink Creation Via Mklink
2id: 40b19fa6-d835-400c-b301-41f3a2baacaf
3status: stable
4description: Shadow Copies storage symbolic link creation using operating systems utilities
5references:
6 - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
7author: Teymur Kheirkhabarov, oscd.community
8date: 2019-10-22
9modified: 2023-03-06
10tags:
11 - attack.credential-access
12 - attack.t1003.002
13 - attack.t1003.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|contains|all:
20 - 'mklink'
21 - 'HarddiskVolumeShadowCopy'
22 condition: selection
23falsepositives:
24 - Legitimate administrator working with shadow copies, access for backup purposes
25level: high
References
-
Hunting for Credentials Dumping in Windows Environment - Download as a PDF or view online for free
Read More
Related rules
- Copying Sensitive Files with Credential Data
- Cred Dump Tools Dropped Files
- NTDS.DIT Creation By Uncommon Process
- Possible Impacket SecretDump Remote Activity
- Possible Impacket SecretDump Remote Activity - Zeek