title: Conti Volume Shadow Listing
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
description: Detects a command used by conti to access volume shadow backups
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine: '*\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*'
  SELECTION_3:
    CommandLine:
    - '*\\NTDS.dit*'
    - '*\\SYSTEM*'
    - '*\\SECURITY*'
    - '*C:\\tmp\\log*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Some rare backup scenarios
id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
level: medium
logsource:
  category: process_creation
  product: windows
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
status: experimental
tags:
- attack.impact
- attack.t1490