Uncommon creation or access operation of sensitive shadow copy

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping (T1003)

Severity

Low

Description

An uncommon creation or access of a sensitive Shadow Copy volume path.

Attacker's Goals

Attackers may try to copy sensitive data or dump OS credentials from the host file system by using Shadow Copy volume utilities.

Investigative actions

  • Verify if the shadow copy operation is part of an IT activity.
  • Look for other hosts performing the same shadow copy event with similar causality process behavior.
  • Inspect the causality process and its characteristics as they appear on other hosts.

Variations

Uncommon creation or access operation of sensitive shadow copy by a remote actor

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping (T1003)

Severity

Low

Description

An uncommon creation or access of a sensitive Shadow Copy volume path.

Attacker's Goals

Attackers may try to copy sensitive data or dump OS credentials from the host file system by using Shadow Copy volume utilities.

Investigative actions

  • Verify if the shadow copy operation is part of an IT activity.
  • Look for other hosts performing the same shadow copy event with similar causality process behavior.
  • Inspect the causality process and its characteristics as they appear on other hosts.
  • Investigate the remote machine, search for the stolen shadow copies and for any infection that may initiated the activity.


Uncommon creation or access operation of sensitive shadow copy by a high-risk process

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping (T1003)

Severity

High

Description

An uncommon creation or access of a sensitive Shadow Copy volume path by a high-risk process.

Attacker's Goals

Attackers may try to copy sensitive data or dump OS credentials from the host file system by using Shadow Copy volume utilities.

Investigative actions

  • Verify if the shadow copy operation is part of an IT activity.
  • Look for other hosts performing the same shadow copy event with similar causality process behavior.
  • Inspect the causality process and its characteristics as they appear on other hosts.