VolumeShadowCopy Symlink Creation Via Mklink
Shadow Copies storage symbolic link creation using operating systems utilities
Sigma rule (View on GitHub)
1title: VolumeShadowCopy Symlink Creation Via Mklink
2id: 40b19fa6-d835-400c-b301-41f3a2baacaf
3status: stable
4description: Shadow Copies storage symbolic link creation using operating systems utilities
5references:
6 - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
7author: Teymur Kheirkhabarov, oscd.community
8date: 2019/10/22
9modified: 2023/03/06
10tags:
11 - attack.credential_access
12 - attack.t1003.002
13 - attack.t1003.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|contains|all:
20 - 'mklink'
21 - 'HarddiskVolumeShadowCopy'
22 condition: selection
23falsepositives:
24 - Legitimate administrator working with shadow copies, access for backup purposes
25level: high
References
Related rules
- Copying Sensitive Files with Credential Data
- Transferring Files with Credential Data via Network Shares
- Transferring Files with Credential Data via Network Shares - Zeek
- Possible Impacket SecretDump Remote Activity - Zeek
- Esentutl Gather Credentials