Disabled Volume Snapshots
Detects commands that temporarily turn off Volume Snapshots
Sigma rule (View on GitHub)
1title: Disabled Volume Snapshots
2id: dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
3status: test
4description: Detects commands that temporarily turn off Volume Snapshots
5references:
6 - https://twitter.com/0gtweet/status/1354766164166115331
7author: Florian Roth (Nextron Systems)
8date: 2021/01/28
9modified: 2023/12/15
10tags:
11 - attack.defense_evasion
12 - attack.t1562.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains|all:
19 - '\Services\VSS\Diag'
20 - '/d Disabled'
21 condition: selection
22falsepositives:
23 - Legitimate administration
24level: high
References
Related rules
- Reg Add Suspicious Paths
- HackTool - CobaltStrike BOF Injection Pattern
- HackTool - PowerTool Execution
- SafeBoot Registry Key Deleted Via Reg.EXE
- Service Registry Key Deleted Via Reg.EXE