Detectionhightest

Create Volume Shadow Copy with Powershell

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Wed Jan 12afd12fed-b0ec-45c9-a13d-aa86625dac81windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains|all:
            - Win32_ShadowCopy
            - ').Create('
            - ClientAccessible
    condition: selection

False Positives

Legitimate PowerShell scripts

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.003 · NTDS

Other

attack.ds0005

Rule Metadata

Rule ID

afd12fed-b0ec-45c9-a13d-aa86625dac81

Status

test

Level

high

Type

Detection

Created

Wed Jan 12

Author

François Hubaut

Path

rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml

Raw Tags

attack.credential-accessattack.t1003.003attack.ds0005

View on GitHub