heroui logo

Copy From VolumeShadowCopy Via Cmd.EXE

Sigma Rules

View Source
Summary
This detection rule identifies instances where the built-in Windows command-line utility 'copy' is executed with a command line that targets a shadow copy of a volume. Shadow copies are typically utilized to create backups of files or system states while they are in use, which can sometimes include sensitive data like registry hives or user password hashes. The specific command line that triggers this detection contains the path to the shadow copy, indicated by 'Globalroot/Device/HarddiskVolumeShadowCopy'. This can be a potential indicator of malicious activity, as attackers might use this method to access locked files or extract sensitive information without raising suspicion. Given that the 'copy' command is commonly used in benign contexts, special attention is warranted on the command line parameters to accurately determine the intent behind the execution.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
Created: 2021-08-09