Detectionmediumtest

Potentially Suspicious Child Process Of DiskShadow.EXE

Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Fri Sep 159f546b25-5f12-4c8d-8532-5893dcb1e4b8windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\diskshadow.exe'
        Image|endswith:
            # Note: add or remove additional binaries according to your org needs
            - '\certutil.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
    condition: selection

False Positives

False postitve can occur in cases where admin scripts levreage the "exec" flag to execute applications

References

research.checkpoint.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Related Rules

SimilarDetectionmedium

Diskshadow Script Mode - Execution From Potential Suspicious Location

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

Diskshadow Script Mode - Uncommon Script Extension Execution

Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.

Detects similar activity. Both rules may fire on overlapping events.

SimilarThreat Huntmedium

Diskshadow Child Process Spawned

Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.

Detects similar activity. Both rules may fire on overlapping events.

SimilarThreat Huntmedium

Diskshadow Script Mode Execution

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

9f546b25-5f12-4c8d-8532-5893dcb1e4b8

Status

test

Level

medium

Type

Detection

Created

Fri Sep 15

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml

Raw Tags

attack.defense-evasionattack.t1218

View on GitHub