Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumexperimental

Proxy Execution via Vshadow

Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, attackers can leverage this parameter to proxy the execution of malware.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
David FaissCreated Mon May 26d7c75059-2901-4578-b209-8837fd31c6a8windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\vshadow.exe'
        - OriginalFileName: 'vshadow.exe'
    selection_cli:
        CommandLine|contains: '-exec'
    condition: all of selection_*
False Positives

System backup or administrator tools

Legitimate administrative scripts

References
1
Resolving title…
lolbas-project.github.io
2
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
d7c75059-2901-4578-b209-8837fd31c6a8
Status
experimental
Level
medium
Type
Detection
Created
Mon May 26
Author
David Faiss
Path
rules/windows/process_creation/proc_creation_win_vshadow_exec.yml
Raw Tags
attack.defense-evasionattack.t1202
View on GitHub