LoFP / legitimate use of vssvc. maybe backup operations. it would usually be done by c:\windows\system32\vssvc.exe.

Techniques

• t1003
• t1003.002

Sample rules

VSSAudit Security Event Source Registration

• source: sigma
• technicques:
  • t1003
  • t1003.002

Description

Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.

Detection logic

condition: selection
selection:
  AuditSourceName: VSSAudit
  EventID:
  - 4904
  - 4905