heroui logo

Diskshadow Script Mode - Uncommon Script Extension Execution

Sigma Rules

View Source
Summary
This detection rule is designed to identify the execution of 'Diskshadow.exe' in script mode, specifically targeting scripts with uncommon file extensions. It operates on the assumption that executing scripts with unusual extensions might indicate an attempt to evade detection and perform unauthorized actions. The rule requires an initial baseline to confirm which file extensions are permitted in legitimate operations; anything outside of this baseline should be flagged. The command line must include the flag '-s' indicating script mode, and the file extension should be checked to see if it matches a defined uncommon list, specifically filtering for '.txt' files in the sample detection. This rule is useful in environments where 'Diskshadow' is a common tool but may be misused by adversaries for persistence or credential dumping activities. Compliance with best practices for establishing a baseline and regular review of logged activities is recommended to minimize false positives.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
Created: 2023-09-15