LoFP LoFP / system backup or administrator tools

Techniques

Sample rules

Proxy Execution via Vshadow

Description

Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, attackers can leverage this parameter to proxy the execution of malware.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: -exec
selection_img:
- Image|endswith: \vshadow.exe
- OriginalFileName: vshadow.exe