Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectioninformationaltest

VSSAudit Security Event Source Registration

Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g), Open Threat Research (OTR)Created Tue Oct 20Updated Thu Apr 28e9faba72-4974-4ab2-a4c5-46e25ad59e9bwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic1 selector
detection:
    selection:
        AuditSourceName: VSSAudit
        EventID:
            - 4904
            - 4905
    condition: selection
False Positives

Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
e9faba72-4974-4ab2-a4c5-46e25ad59e9b
Status
test
Level
informational
Type
Detection
Created
Tue Oct 20
Modified
Thu Apr 28
Author
Roberto Rodriguez (Cyb3rWard0g), Open Threat Research (OTR)
Path
rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml
Raw Tags
attack.credential-accessattack.t1003.002
View on GitHub