Disabled Volume Snapshots

Dec 18, 2023 · attack.defense_evasion attack.t1562.001 ·

Detects commands that temporarily turn off Volume Snapshots

Sigma rule (View on GitHub)

 1title: Disabled Volume Snapshots
 2id: dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
 3status: test
 4description: Detects commands that temporarily turn off Volume Snapshots
 5references:
 6    - https://twitter.com/0gtweet/status/1354766164166115331
 7author: Florian Roth (Nextron Systems)
 8date: 2021/01/28
 9modified: 2023/12/15
10tags:
11    - attack.defense_evasion
12    - attack.t1562.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        CommandLine|contains|all:
19            - '\Services\VSS\Diag'
20            - '/d Disabled'
21    condition: selection
22falsepositives:
23    - Legitimate administration
24level: high

References

x.com

Read More

Related rules

Reg Add Suspicious Paths
HackTool - CobaltStrike BOF Injection Pattern
HackTool - PowerTool Execution
SafeBoot Registry Key Deleted Via Reg.EXE
Service Registry Key Deleted Via Reg.EXE

Disabled Volume Snapshots

Sigma rule (View on GitHub)

References

x.com

Related rules