T1003.003 Shadow Copies Creation Using Operating Systems Utilities

T1003.003 - Shadow Copies Creation Using Operating Systems Utilities

DESCRIPTION

Detects Shadow Copies creation using operating systems utilities, possible precursor to credential access.

Example:

vssadmin create shadow /for=C:
vssadmin create shadow /for=D:

Related

LOLBins
Mustang Panda

Reference:

https://github.com/SigmaHQ/sigma/blob/583f08ecaca532c7bff6e56e73c2e25c5b184796/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/

ATT&CK TACTICS

T1003.003 - OS Credential Dumping: NTDS

Data Source(s): Command, Process

SENTINEL RULE QUERY

let selection_img_OriginalFileName = dynamic(['PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE']);
let selection_cli = dynamic(['shadow', 'create']);
let selection_drive = dynamic(['c:', 'd:']);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FolderPath endswith @'\powershell.exe' or FolderPath endswith @'\pwsh.exe' or FolderPath endswith @'\wmic.exe' or FolderPath endswith @'\vssadmin.exe'
| where ProcessVersionInfoOriginalFileName has_any (selection_img_OriginalFileName)
| where ProcessCommandLine has_all (selection_cli) and ProcessCommandLine has_any (selection_drive)
//| summarize count(), num_distinctDevices = dcount(DeviceName), set_ProcessCMD=make_set(ProcessCommandLine), set_InitiatingProcessCMD=make_set(InitiatingProcessCommandLine), first_ = min(TimeGenerated), last_ = max(TimeGenerated) by InitiatingProcessFolderPath, InitiatingProcessFileName, FolderPath, FileName, AccountName, TenantId 

Triage

1. Use the summarize statement for logs deduplication when results > 10 logs
2. Verify if the activities were expected and approved, examined the Account, host, and initiating command lines.

FalsePositive

• Legitimate administrator working with shadow copies, access for backup purposes

VERSION

Version 1.0 (date: 20/03/2024)