Missing alerts | Volume Shadow Copy

sgroeneveld · July 31, 2023, 10:12am

Happy Monday,

Is it us or is aren’t there any rules in Rapid7 in relation to “Volume Shadow Copy”?

david_smith · July 31, 2023, 2:29pm

Hi,

we do have a number of alerts related to this behavior, see under Attacker Behavior Analytics, if you search for shadow you will see five Detection Rules related to actions taken with shadow copies.

For example

Suspicious Process - Delete File Shadow Copies With PowerShell

this Windows based detection will trigger if the agent running on the system detects the following

	
from(
  	event_type = "process_start_event"
)
where(
    	SUBQUERY("Powershell")
  	AND
    	process.cmd_line
      	ICONTAINS-ALL [
        	"ForEach-Object",
        	"Get-WmiObject",
        	".Delete()",
        	"Win32_Shadowcopy"
      	]
)

sgroeneveld · July 31, 2023, 3:09pm

Oversight on my end. Thanks!

syeoell · August 7, 2023, 5:00pm

How do these rules stack up against PS encoded command or otherwise obfuscated? Or with alternate methods like VSSAdmin?

david_smith · August 7, 2023, 5:28pm

We do decode PS commands in base64 or hex format as well as some others when performing checks against our detection engine rules.

David