legitimate use of volume shadow copy mounts (backups maybe).

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml>sigma
technicques: t1003 t1003.002

Techniques

Detects volume shadow copy mount via Windows event log

condition: selection
selection:
  DeviceName|contains: HarddiskVolumeShadowCopy
  EventID: 98
  Provider_Name: Microsoft-Windows-Ntfs