LoFP / legitimate administrator working with shadow copies, access for backup purposes

Techniques

Sample rules

Shadow Copies Creation Using Operating Systems Utilities

source: sigma
technicques:
- t1003
- t1003.002
- t1003.003

Description

Shadow Copies creation using operating systems utilities, possible credential access

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - shadow
  - create
selection_img:
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \wmic.exe
  - \vssadmin.exe
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll
  - wmic.exe
  - VSSADMIN.EXE

VolumeShadowCopy Symlink Creation Via Mklink

source: sigma
technicques:
- t1003
- t1003.002
- t1003.003

Description

Shadow Copies storage symbolic link creation using operating systems utilities

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - mklink
  - HarddiskVolumeShadowCopy