SigmaHQ/rules/windows/process_creation/win_shadow_copies_access_symlink.yml

title: Shadow Copies Access via Symlink
id: 40b19fa6-d835-400c-b301-41f3a2baacaf
description: Shadow Copies storage symbolic link creation using operating systems utilities
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
    - attack.credential_access
    - attack.t1003 # an old one
    - attack.t1003.002
    - attack.t1003.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - mklink
            - HarddiskVolumeShadowCopy
    condition: selection
falsepositives:
    - Legitimate administrator working with shadow copies, access for backup purposes
status: experimental
level: medium
Rule fixes Made tests pass the new CI tests. Added further allowed lower case words in rule test. 2020-02-20 22:00:16 +00:00			`title: Shadow Copies Access via Symlink`
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing. 2019-12-19 22:56:36 +00:00			`id: 40b19fa6-d835-400c-b301-41f3a2baacaf`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`description: Shadow Copies storage symbolic link creation using operating systems utilities`
			`author: Teymur Kheirkhabarov, oscd.community`
			`date: 2019/10/22`
			`references:`
			`- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment`
			`tags:`
			`- attack.credential_access`
att&ck tags review: windows/process_creation part 5 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes 2020-09-06 22:00:41 +00:00			`- attack.t1003 # an old one`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1003.002`
			`- attack.t1003.003`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`CommandLine\|contains\|all:`
			`- mklink`
			`- HarddiskVolumeShadowCopy`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`condition: selection`
			`falsepositives:`
			`- Legitimate administrator working with shadow copies, access for backup purposes`
			`status: experimental`
			`level: medium`