Proxy Execution via Vshadow
Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, attackers can leverage this parameter to proxy the execution of malware.
Sigma rule (View on GitHub)
1title: Proxy Execution via Vshadow
2id: d7c75059-2901-4578-b209-8837fd31c6a8
3status: experimental
4description: |
5 Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.
6 VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,
7 attackers can leverage this parameter to proxy the execution of malware.
8author: David Faiss
9date: 2025-05-26
10references:
11 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/
12 - https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
13tags:
14 - attack.defense-evasion
15 - attack.t1202
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection_img:
21 - Image|endswith: '\vshadow.exe'
22 - OriginalFileName: 'vshadow.exe'
23 selection_cli:
24 CommandLine|contains: '-exec'
25 condition: all of selection_*
26falsepositives:
27 - System backup or administrator tools
28 - Legitimate administrative scripts
29level: medium
References
Related rules
- Outlook EnableUnsafeClientMailRules Setting Enabled
- Suspicious Remote Child Process From Outlook
- Potential Binary Impersonating Sysinternals Tools
- Renamed NirCmd.EXE Execution
- Renamed ZOHO Dctask64 Execution