Volume Shadow Copy Mounted

Rule Info

Name
Volume Shadow Copy Mounted
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects mounting of an NTFS volume shadow copy instance including creation.
Reference
Internal Research
Date
2024-01-24 00:00:00
Modified
None
Id
cf82b6a7-14eb-4bd2-8415-345e9d35e105
Tags
attack.defense_evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022