LoFP LoFP / legitimate administrator working with shadow copies, access for backup purposes

Techniques

Sample rules

Description

Shadow Copies storage symbolic link creation using operating systems utilities

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - mklink
  - HarddiskVolumeShadowCopy

Shadow Copies Creation Using Operating Systems Utilities

Description

Shadow Copies creation using operating systems utilities, possible credential access

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - shadow
  - create
selection_img:
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \wmic.exe
  - \vssadmin.exe
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll
  - wmic.exe
  - VSSADMIN.EXE