Detects Shadow Copies creation using operating systems utilities, possible precursor to credential access.
vssadmin create shadow /for=C:
vssadmin create shadow /for=D:
LOLBins
Mustang Panda
https://github.com/SigmaHQ/sigma/blob/583f08ecaca532c7bff6e56e73c2e25c5b184796/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
{{ mitre("T1003.003")}}
Data Source(s): Command, Process
let selection_img_OriginalFileName = dynamic(['PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE']);
let selection_cli = dynamic(['shadow', 'create']);
let selection_drive = dynamic(['c:', 'd:']);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FolderPath endswith @'\powershell.exe' or FolderPath endswith @'\pwsh.exe' or FolderPath endswith @'\wmic.exe' or FolderPath endswith @'\vssadmin.exe'
| where ProcessVersionInfoOriginalFileName has_any (selection_img_OriginalFileName)
| where ProcessCommandLine has_all (selection_cli) and ProcessCommandLine has_any (selection_drive)
//| summarize count(), num_distinctDevices = dcount(DeviceName), set_ProcessCMD=make_set(ProcessCommandLine), set_InitiatingProcessCMD=make_set(InitiatingProcessCommandLine), first_ = min(TimeGenerated), last_ = max(TimeGenerated) by InitiatingProcessFolderPath, InitiatingProcessFileName, FolderPath, FileName, AccountName, TenantId
- Use the summarize statement for logs deduplication when results > 10 logs
- Verify if the activities were expected and approved, examined the Account, host, and initiating command lines.
- Legitimate administrator working with shadow copies, access for backup purposes
Version 1.0 (date: 20/03/2024)