SigmaHQ/rules/windows/process_creation/win_shadow_copies_creation.yml

title: Shadow Copies Creation Using Operating Systems Utilities
id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
description: Shadow Copies creation using operating systems utilities, possible credential access
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2019/10/22
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
tags:
    - attack.credential_access
    - attack.t1003
    - attack.t1003.002
    - attack.t1003.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\wmic.exe'
            - '\vssadmin.exe'
        CommandLine|contains|all:
            - shadow
            - create
    condition: selection
falsepositives:
    - Legitimate administrator working with shadow copies, access for backup purposes
status: experimental
level: medium
Rule fixes Made tests pass the new CI tests. Added further allowed lower case words in rule test. 2020-02-20 22:00:16 +00:00			`title: Shadow Copies Creation Using Operating Systems Utilities`
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing. 2019-12-19 22:56:36 +00:00			`id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`description: Shadow Copies creation using operating systems utilities, possible credential access`
			`author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community`
			`date: 2019/10/22`
			`references:`
			`- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment`
			`- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/`
			`tags:`
			`- attack.credential_access`
			`- attack.t1003`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1003.002`
			`- attack.t1003.003`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
standardize rules with Image and CommandLine instead of NewProcessName and ProcessCommandLine 2020-05-15 16:35:32 +00:00			`Image\|endswith:`
Update process_creation_shadow_copies_creation.yml 2019-11-13 21:48:50 +00:00			`- '\powershell.exe'`
			`- '\wmic.exe'`
			`- '\vssadmin.exe'`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`CommandLine\|contains\|all:`
			`- shadow`
			`- create`
			`condition: selection`
			`falsepositives:`
			`- Legitimate administrator working with shadow copies, access for backup purposes`
			`status: experimental`
			`level: medium`