sigmahighHunting

Create Volume Shadow Copy with Powershell

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

MITRE ATT&CK

T1003.003

credential-access

Detection Query

selection:
  ScriptBlockText|contains|all:
    - Win32_ShadowCopy
    - ).Create(
    - ClientAccessible
condition: selection

Author

frack113

Created

2022-01-12

Data Sources

windowsps_script

Platforms

windows

References

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7

Tags

attack.credential-accessattack.t1003.003attack.ds0005

Raw Content

title: Create Volume Shadow Copy with Powershell
id: afd12fed-b0ec-45c9-a13d-aa86625dac81
status: test
description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022-01-12
tags:
    - attack.credential-access
    - attack.t1003.003
    - attack.ds0005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - Win32_ShadowCopy
            - ').Create('
            - ClientAccessible
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: high