Detectionhightest
Esentutl Volume Shadow Copy Service Keys
Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Tue Oct 20Updated Sun Dec 255aad0995-46ab-41bd-a9ff-724f41114971windows
Log Source
WindowsRegistry Event
ProductWindows← raw: windows
CategoryRegistry Event← raw: registry_event
Events for Windows Registry modifications including key creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection:
TargetObject|contains: 'System\CurrentControlSet\Services\VSS'
Image|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter
filter:
TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start'
condition: selection and not filterFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
5aad0995-46ab-41bd-a9ff-724f41114971
Status
test
Level
high
Type
Detection
Created
Tue Oct 20
Modified
Sun Dec 25
Path
rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml
Raw Tags
attack.credential-accessattack.t1003.002