detection.wiki

Detection rules › Sigma

Shadow Copies Creation Using Operating Systems Utilities

Severity
medium
Author
Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
Source
upstream

Shadow Copies creation using operating systems utilities, possible credential access

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1003 OS Credential Dumping, T1003.002 OS Credential Dumping: Security Account Manager, T1003.003 OS Credential Dumping: NTDS

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_img

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\vssadmin.exe'
Image|endswith: '\wmic.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: VSSADMIN.EXE
OriginalFileName: pwsh.dll
OriginalFileName: wmic.exe

Stage 2: all of selection_cli

CommandLine|contains: create
CommandLine|contains: shadow

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • create corpus 8 (sigma 8)
  • shadow corpus 2 (sigma 2)
Imageends_with
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
  • \vssadmin.exe corpus 5 (sigma 5)
  • \wmic.exe corpus 37 (sigma 37)
OriginalFileNameeq
  • PowerShell.EXE corpus 64 (sigma 60, splunk 4)
  • VSSADMIN.EXE corpus 3 (sigma 3)
  • pwsh.dll corpus 72 (sigma 68, splunk 4)
  • wmic.exe corpus 33 (sigma 33)