Copy From VolumeShadowCopy Via Cmd.EXE

 1title: Copy From VolumeShadowCopy Via Cmd.EXE
 2id: c73124a7-3e89-44a3-bdc1-25fe4df754b1
 3status: test
 4description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
 5references:
 6    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
 7    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
 8    - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
 9author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
10date: 2021-08-09
11modified: 2023-03-07
12tags:
13    - attack.impact
14    - attack.t1490
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        # cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\
21        # There is an additional "\" to escape the special "?"
22        CommandLine|contains|all:
23            - 'copy '
24            - '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
25    condition: selection
26falsepositives:
27    - Backup scenarios using the commandline
28level: high

References

• x.com

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

• Dumping Domain Password Hashes

  

  It is very common during penetration tests where domain administrator access has been achieved to extract the password hashes of all the domain users for offline cracking and analysis. These hashes…

  
  Read More

Related rules

• All Backups Deleted Via Wbadmin.EXE
• Backup Files Deleted
• Boot Configuration Tampering Via Bcdedit.EXE
• Cisco Modify Configuration
• Delete Volume Shadow Copies Via WMI With PowerShell