Shadow Copies Creation Using Operating Systems Utilities

Shadow Copies creation using operating systems utilities, possible credential access

Sigma rule (View on GitHub)

 1title: Shadow Copies Creation Using Operating Systems Utilities
 2id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
 3status: test
 4description: Shadow Copies creation using operating systems utilities, possible credential access
 5references:
 6    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 7    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
 8author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 9date: 2019/10/22
10modified: 2022/11/10
11tags:
12    - attack.credential_access
13    - attack.t1003
14    - attack.t1003.002
15    - attack.t1003.003
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith:
22              - '\powershell.exe'
23              - '\pwsh.exe'
24              - '\wmic.exe'
25              - '\vssadmin.exe'
26        - OriginalFileName:
27              - 'PowerShell.EXE'
28              - 'pwsh.dll'
29              - 'wmic.exe'
30              - 'VSSADMIN.EXE'
31    selection_cli:
32        CommandLine|contains|all:
33            - 'shadow'
34            - 'create'
35    condition: all of selection_*
36falsepositives:
37    - Legitimate administrator working with shadow copies, access for backup purposes
38level: medium

References

Related rules

to-top