Diskshadow Script Mode - Execution From Potential Suspicious Location

Rule Info

Name
Diskshadow Script Mode - Execution From Potential Suspicious Location
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
Reference
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
Date
2023-09-15 00:00:00
Modified
2024-03-05 00:00:00
Id
fa1a7e52-3d02-435b-81b8-00da14dd66c1
Tags
attack.defense-evasion attack.t1218
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=fa1a7e52-3d02-435b-81b8-00da14dd66c1

Rule History

Author
Title
Date
Commit
frack113
Merge PR #4973 from @frack113 - Fix date format for some rules along with a broken logsource field
2024-08-16
adff65f9a
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
github-actions[bot]
Merge PR #4942 from @nasbench - promote older rules status from experimental to test
2024-08-01
6b7814466
frack113
Merge PR #4752 from @frack113 - Update rules to use the `windash` modifier
2024-03-11
48baf1187
Qasim Qlf
Merge PR #4718 from @qasimqlf - Update ATT&CK Mapping For Some Rules
2024-02-26
1fb3ce596
Wagga
Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields
2023-10-28
8bf328219
cyb3rjy0t
Merge PR #4405 from @nasbench & @cyb3rjy0t - Update Diskshadow Related Rules
2023-09-15
3b27c338f
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022