Detectionmediumtest

Diskshadow Script Mode - Uncommon Script Extension Execution

Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Fri Sep 15Updated Tue Mar 051dde5376-a648-492e-9e54-4241dd9b0c7fwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - OriginalFileName: 'diskshadow.exe'
        - Image|endswith: '\diskshadow.exe'
    selection_flag:
        CommandLine|contains|windash: '-s '
    filter_main_ext:
        # Note: can be changed to an "endswith" to avoid rare FPs. But you need to account for quoted paths
        # Note: Using the ".txt" is based on the MS documentation example. Best add the extension you use internally before using this rule
        CommandLine|contains: '.txt'
    condition: all of selection_* and not 1 of filter_main_*

False Positives

False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required.

References

research.checkpoint.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Related Rules

SimilarDetectionmedium

Diskshadow Script Mode - Execution From Potential Suspicious Location

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

Potentially Suspicious Child Process Of DiskShadow.EXE

Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.

Detects similar activity. Both rules may fire on overlapping events.

SimilarThreat Huntmedium

Diskshadow Child Process Spawned

Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.

Detects similar activity. Both rules may fire on overlapping events.

SimilarThreat Huntmedium

Diskshadow Script Mode Execution

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

1dde5376-a648-492e-9e54-4241dd9b0c7f

Status

test

Level

medium

Type

Detection

Created

Fri Sep 15

Modified

Tue Mar 05

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml

Raw Tags

attack.defense-evasionattack.t1218

View on GitHub