Sensitive File Access Via Volume Shadow Copy Backup
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
Sigma rule (View on GitHub)
1title: Sensitive File Access Via Volume Shadow Copy Backup
2id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
3status: test
4description: |
5 Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
6references:
7 - https://twitter.com/vxunderground/status/1423336151860002816?s=20
8 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
9 - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
10author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
11date: 2021-08-09
12modified: 2024-01-18
13tags:
14 - attack.impact
15 - attack.t1490
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_1:
21 # copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1
22 # There is an additional "\" to escape the special "?"
23 CommandLine|contains: '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
24 selection_2:
25 CommandLine|contains:
26 - '\\NTDS.dit'
27 - '\\SYSTEM'
28 - '\\SECURITY'
29 condition: all of selection_*
30falsepositives:
31 - Unlikely
32level: high
References
-
-
It is very common during penetration tests where domain administrator access has been achieved to extract the password hashes of all the domain users for offline cracking and analysis. These hashes…
Read More
Related rules
- All Backups Deleted Via Wbadmin.EXE
- Backup Files Deleted
- Boot Configuration Tampering Via Bcdedit.EXE
- Cisco Modify Configuration
- Copy From VolumeShadowCopy Via Cmd.EXE