title: Volume Shadow Copy Service Keys
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/10/20
description: Detects the volume shadow copy service initialization and processing.
    Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume
    are captured.
detection:
    SELECTION_1:
        EventID: 12
    SELECTION_2:
        EventID: 13
    SELECTION_3:
        EventID: 14
    SELECTION_4:
        TargetObject: '*System\CurrentControlSet\Services\VSS*'
    SELECTION_5:
        TargetObject: '*System\CurrentControlSet\Services\VSS\Start*'
    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and  not
        (SELECTION_5))
falsepositives:
- Other services accessing that key or sub keys
id: 5aad0995-46ab-41bd-a9ff-724f41114971
level: high
logsource:
    category: registry_event
    product: windows
modified: 2021/06/02
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
status: experimental
tags:
- attack.credential_access
- attack.t1003.002
yml_filename: sysmon_volume_shadow_copy_service_keys.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event