Techniques
Sample rules
Copy From VolumeShadowCopy Via Cmd.EXE
- source: sigma
- technicques:
- t1490
Description
Detects the execution of the builtin “copy” command that targets a shadow copy (sometimes used to copy registry hives that are in use)
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- 'copy '
- \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy