Volume Shadow Copy Unmounted By Uncommon Process

Rule Info

Name
Volume Shadow Copy Unmounted By Uncommon Process
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects unmounting of an NTFS volume shadow copy instance by an uncommon process. This could be a sign of someone using the VSS API directly in order to possibly avoid detection.
Reference
Internal Research
Date
2024-01-24 00:00:00
Modified
None
Id
78b47e98-713d-4733-9f75-04d80f657920
Tags
attack.defense_evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022