Potentially Suspicious Child Process Of DiskShadow.EXE

Rule Info

Name
Potentially Suspicious Child Process Of DiskShadow.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
Reference
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
Date
2023-09-15 00:00:00
Modified
None
Id
9f546b25-5f12-4c8d-8532-5893dcb1e4b8
Tags
attack.defense-evasion attack.t1218
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9f546b25-5f12-4c8d-8532-5893dcb1e4b8

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
github-actions[bot]
Merge PR #4942 from @nasbench - promote older rules status from experimental to test
2024-08-01
6b7814466
Qasim Qlf
Merge PR #4718 from @qasimqlf - Update ATT&CK Mapping For Some Rules
2024-02-26
1fb3ce596
cyb3rjy0t
Merge PR #4405 from @nasbench & @cyb3rjy0t - Update Diskshadow Related Rules
2023-09-15
3b27c338f
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022