Happy Monday,
Is it us or is aren’t there any rules in Rapid7 in relation to “Volume Shadow Copy”?
Happy Monday,
Is it us or is aren’t there any rules in Rapid7 in relation to “Volume Shadow Copy”?
Hi,
we do have a number of alerts related to this behavior, see under Attacker Behavior Analytics, if you search for shadow you will see five Detection Rules related to actions taken with shadow copies.
For example
Suspicious Process - Delete File Shadow Copies With PowerShell
this Windows based detection will trigger if the agent running on the system detects the following
from(
event_type = "process_start_event"
)
where(
SUBQUERY("Powershell")
AND
process.cmd_line
ICONTAINS-ALL [
"ForEach-Object",
"Get-WmiObject",
".Delete()",
"Win32_Shadowcopy"
]
)
Oversight on my end. Thanks!
How do these rules stack up against PS encoded command or otherwise obfuscated? Or with alternate methods like VSSAdmin?
We do decode PS commands in base64 or hex format as well as some others when performing checks against our detection engine rules.
David