valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
80639afd43
SigmaHQ/rules/windows/process_creation/win_shadow_copies_access_symlink.yml
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00

26 lines
794 B
YAML
Raw Blame History

title: Shadow Copies Access via Symlink
id: 40b19fa6-d835-400c-b301-41f3a2baacaf
description: Shadow Copies storage symbolic link creation using operating systems utilities
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.002
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- mklink
- HarddiskVolumeShadowCopy
condition: selection
falsepositives:
- Legitimate administrator working with shadow copies, access for backup purposes
status: experimental
level: medium
Reference in New Issue View Git Blame Copy Permalink