Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An uncommon creation or access of a sensitive Shadow Copy volume path.
Attacker's Goals
Attackers may try to copy sensitive data or dump OS credentials from the host file system by using Shadow Copy volume utilities.
Investigative actions
- Verify if the shadow copy operation is part of an IT activity.
- Look for other hosts performing the same shadow copy event with similar causality process behavior.
- Inspect the causality process and its characteristics as they appear on other hosts.
Variations
Uncommon creation or access operation of sensitive shadow copy by a remote actorUncommon creation or access operation of sensitive shadow copy by a high-risk process