Detectionhightest
Copy From VolumeShadowCopy Via Cmd.EXE
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Max Altgelt (Nextron Systems), Tobias MichalskiCreated Mon Aug 09Updated Tue Mar 07c73124a7-3e89-44a3-bdc1-25fe4df754b1windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
# cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\
# There is an additional "\" to escape the special "?"
CommandLine|contains|all:
- 'copy '
- '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
condition: selectionFalse Positives
Backup scenarios using the commandline
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
c73124a7-3e89-44a3-bdc1-25fe4df754b1
Status
test
Level
high
Type
Detection
Created
Mon Aug 09
Modified
Tue Mar 07
Path
rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml
Raw Tags
attack.impactattack.t1490