Volume Shadow Copy Unmounted By Uncommon Process
Nasreddine Bencherchali (Nextron Systems)
Detects unmounting of an NTFS volume shadow copy instance by an uncommon process. This could be a sign of someone using the VSS API directly in order to possibly avoid detection.
Nextron Sigma feed only (private)