Detectionlowtest

Volume Shadow Copy Mount

Detects volume shadow copy mount via Windows event log

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Roberto Rodriguez (Cyb3rWard0g), Open Threat Research (OTR)Created Tue Oct 20Updated Sun Dec 25f512acbf-e662-4903-843e-97ce4652b740windows

Log Source

Windowssystem

ProductWindows← raw: windows

Servicesystem← raw: system

Detection Logic

detection:
    selection:
        Provider_Name: Microsoft-Windows-Ntfs
        EventID: 98
        DeviceName|contains: HarddiskVolumeShadowCopy
    condition: selection

False Positives

Legitimate use of volume shadow copy mounts (backups maybe).

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.002 · Security Account Manager

Rule Metadata

Rule ID

f512acbf-e662-4903-843e-97ce4652b740

Status

test

Level

low

Type

Detection

Created

Tue Oct 20

Modified

Sun Dec 25

Author

Roberto Rodriguez (Cyb3rWard0g), Open Threat Research (OTR)

Path

rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml

Raw Tags

attack.credential-accessattack.t1003.002

View on GitHub