LoFP / it is possible that other utilities or system processes may legitimately write to this folder. investigate and modify the search to include exceptions as appropriate.

Techniques

T1036

Sample rules

Suspicious writes to System Volume Information

source: splunk
technicques:
- T1036

Description

This search detects writes to the ‘System Volume Information’ folder by something other than the System process.

Detection logic

(`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\ Volume Information* 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `suspicious_writes_to_system_volume_information_filter`