Disabled Volume Snapshots

Mar 5, 2023 · attack.defense_evasion attack.t1562.001 ·

Share on:

Detects commands that temporarily turn off Volume Snapshots

Sigma rule (View on GitHub)

 1title: Disabled Volume Snapshots
 2id: dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
 3status: test
 4description: Detects commands that temporarily turn off Volume Snapshots
 5references:
 6    - https://twitter.com/0gtweet/status/1354766164166115331
 7author: Florian Roth (Nextron Systems)
 8date: 2021/01/28
 9modified: 2022/10/09
10tags:
11    - attack.defense_evasion
12    - attack.t1562.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        CommandLine|contains|all:
19            - 'reg'
20            - ' add '
21            - '\Services\VSS\Diag'
22            - '/d Disabled'
23    condition: selection
24falsepositives:
25    - Legitimate administration
26level: high

Related rules

Disabled IE Security Features
Potential Privileged System Service Operation - SeLoadDriverPrivilege
Tamper Windows Defender Remove-MpPreference
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
Disable Windows Defender AV Security Monitoring