legitimate administrator usage of vssadmin or wmic will create false positives.

t1003
t1003.003
endpoint
splunk

Techniques

T1003
T1003.003

Sample rules

Creation of Shadow Copy

source: splunk
technicques:
- T1003.003
- T1003

Description

Monitor for signs that Vssadmin or Wmic has been used to create a shadow copy.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process  Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `creation_of_shadow_copy_filter`