Date: 08/19/2024
Severity: Medium
Summary
"Diskshadow Script Mode - Execution From Potential Suspicious Location" refers to using the Diskshadow tool, which is built into Windows, to execute scripts that can create and manage volume shadow copies (backups of disk volumes). When a script is run from an unusual or unexpected location, it can be a red flag for malicious activity or unauthorized access, as attackers might use this method to create or manipulate shadow copies for purposes such as data exfiltration or malware persistence. Monitoring and validating the source of such scripts is crucial for maintaining system security and integrity.
Indicators of Compromise (IOC) List
OriginalFileName | 'diskshadow.exe' |
Image | '\diskshadow.exe' |
CommandLine | '-s ' ':\Temp\' ':\Windows\Temp\' '\AppData\Local\' '\AppData\Roaming\' '\ProgramData\' '\Users\Public\' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((((resourcename in ("Sysmon") AND eventtype = "1") AND originalfilename = "diskshadow.exe") AND image = "\diskshadow.exe") AND commandline in ("-s ",":\Temp",":\Windows\Temp","\AppData\Local","\AppData\Roaming","\ProgramData","\Users\Public")) |
Detection Query 2 | ((((Technologygroup = "EDR" ) AND originalfilename = "diskshadow.exe") AND image = "\diskshadow.exe") AND commandline in ("-s ",":\Temp",":\Windows\Temp","\AppData\Local","\AppData\Roaming","\ProgramData","\Users\Public")) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml