Techniques
Sample rules
Proxy Execution via Vshadow
- source: sigma
- technicques:
- t1202
Description
Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, attackers can leverage this parameter to proxy the execution of malware.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: -exec
selection_img:
- Image|endswith: \vshadow.exe
- OriginalFileName: vshadow.exe
Suspicious Scripting in a WMI Consumer
- source: sigma
- technicques:
- t1059
- t1059.005
Description
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
Detection logic
condition: selection_destination
selection_destination:
- Destination|contains|all:
- new-object
- net.webclient
- .downloadstring
- Destination|contains|all:
- new-object
- net.webclient
- .downloadfile
- Destination|contains:
- ' iex('
- ' -nop '
- ' -noprofile '
- ' -decode '
- ' -enc '
- WScript.Shell
- System.Security.Cryptography.FromBase64Transform