Copy From VolumeShadowCopy Via Cmd.EXE

Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)

Sigma rule (View on GitHub)

 1title: Copy From VolumeShadowCopy Via Cmd.EXE
 2id: c73124a7-3e89-44a3-bdc1-25fe4df754b1
 3status: test
 4description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
 5references:
 6    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
 7    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
 8    - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
 9author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
10date: 2021/08/09
11modified: 2023/03/07
12tags:
13    - attack.impact
14    - attack.t1490
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        # cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\
21        # There is an additional "\" to escape the special "?"
22        CommandLine|contains|all:
23            - 'copy '
24            - '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
25    condition: selection
26falsepositives:
27    - Backup scenarios using the commandline
28level: high

References

Related rules

to-top