Techniques
Sample rules
Diskshadow Script Mode - Uncommon Script Extension Execution
- source: sigma
- technicques:
- t1218
Description
Detects execution of “Diskshadow.exe” in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_ext:
CommandLine|contains: .txt
selection_flag:
CommandLine|contains|windash: '-s '
selection_img:
- OriginalFileName: diskshadow.exe
- Image|endswith: \diskshadow.exe