Detectionmediumtest

Diskshadow Script Mode - Execution From Potential Suspicious Location

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Fri Sep 15Updated Tue Mar 05fa1a7e52-3d02-435b-81b8-00da14dd66c1windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - OriginalFileName: 'diskshadow.exe'
        - Image|endswith: '\diskshadow.exe'
    selection_cli:
        CommandLine|contains|windash: '-s '
    selection_paths:
        CommandLine|contains:
            # Note: Add additional susp paths based on your org needs
            - ':\Temp\'
            - ':\Windows\Temp\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '\ProgramData\'
            - '\Users\Public\'
    condition: all of selection_*

False Positives

False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs.

References

research.checkpoint.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Related Rules

SimilarDetectionmedium

Diskshadow Script Mode - Uncommon Script Extension Execution

Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

Potentially Suspicious Child Process Of DiskShadow.EXE

Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.

Detects similar activity. Both rules may fire on overlapping events.

SimilarThreat Huntmedium

Diskshadow Child Process Spawned

Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.

Detects similar activity. Both rules may fire on overlapping events.

SimilarThreat Huntmedium

Diskshadow Script Mode Execution

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

fa1a7e52-3d02-435b-81b8-00da14dd66c1

Status

test

Level

medium

Type

Detection

Created

Fri Sep 15

Modified

Tue Mar 05

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml

Raw Tags

attack.defense-evasionattack.t1218

View on GitHub