Shadow Copies Creation Using Operating Systems Utilities
Shadow Copies creation using operating systems utilities, possible credential access
Sigma rule (View on GitHub)
1title: Shadow Copies Creation Using Operating Systems Utilities
2id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
3status: test
4description: Shadow Copies creation using operating systems utilities, possible credential access
5references:
6 - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
7 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
8author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
9date: 2019-10-22
10modified: 2022-11-10
11tags:
12 - attack.credential-access
13 - attack.t1003
14 - attack.t1003.002
15 - attack.t1003.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith:
22 - '\powershell.exe'
23 - '\pwsh.exe'
24 - '\wmic.exe'
25 - '\vssadmin.exe'
26 - OriginalFileName:
27 - 'PowerShell.EXE'
28 - 'pwsh.dll'
29 - 'wmic.exe'
30 - 'VSSADMIN.EXE'
31 selection_cli:
32 CommandLine|contains|all:
33 - 'shadow'
34 - 'create'
35 condition: all of selection_*
36falsepositives:
37 - Legitimate administrator working with shadow copies, access for backup purposes
38level: medium
References
-
Hunting for Credentials Dumping in Windows Environment - Download as a PDF or view online for free
Read More -
I recently performed an internal penetration test where the NTDS.dit file got me thousands of password hashes. After compromising unpatched Microsoft Windows computers on the client's domain, I gained access to a number of domain accounts. Below I'll explain how...
Read More
Related rules
- Copying Sensitive Files with Credential Data
- Cred Dump Tools Dropped Files
- Esentutl Gather Credentials
- NTDS.DIT Creation By Uncommon Process
- Possible Impacket SecretDump Remote Activity