LoFP / false positives may occur if you execute the script from one of the paths mentioned in the rule. apply additional filters that fits your org needs.

Techniques

t1218

Sample rules

Diskshadow Script Mode - Execution From Potential Suspicious Location

source: sigma
technicques:
- t1218

Description

Detects execution of “Diskshadow.exe” in script mode using the “/s” flag where the script is located in a potentially suspicious location.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|windash: '-s '
selection_img:
- OriginalFileName: diskshadow.exe
- Image|endswith: \diskshadow.exe
selection_paths:
  CommandLine|contains:
  - :\Temp\
  - :\Windows\Temp\
  - \AppData\Local\
  - \AppData\Roaming\
  - \ProgramData\
  - \Users\Public\