37 lines
1.2 KiB
YAML
37 lines
1.2 KiB
YAML
title: Volume Shadow Copy Service Keys
|
|
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
|
date: 2020/10/20
|
|
description: Detects the volume shadow copy service initialization and processing.
|
|
Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume
|
|
are captured.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 12
|
|
SELECTION_2:
|
|
EventID: 13
|
|
SELECTION_3:
|
|
EventID: 14
|
|
SELECTION_4:
|
|
TargetObject: '*System\CurrentControlSet\Services\VSS*'
|
|
SELECTION_5:
|
|
TargetObject: '*System\CurrentControlSet\Services\VSS\Start*'
|
|
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and not
|
|
(SELECTION_5))
|
|
falsepositives:
|
|
- Other services accessing that key or sub keys
|
|
id: 5aad0995-46ab-41bd-a9ff-724f41114971
|
|
level: high
|
|
logsource:
|
|
category: registry_event
|
|
product: windows
|
|
modified: 2021/06/02
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
|
|
status: experimental
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003.002
|
|
yml_filename: sysmon_volume_shadow_copy_service_keys.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
|
|
|