Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1003-os-credential-dumping

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects PowerShell commands that create Volume Shadow Copies (VSS).

Strategy

This rule monitors PowerShell script block logging for commands that create Volume Shadow Copies. VSS is a legitimate Windows feature that creates point-in-time snapshots of volumes, primarily for backup purposes.

The query searches the @Event.EventData.Data.ScriptBlockText field for PowerShell script blocks that contain the terms Win32_ShadowCopy, Create, and ClientAccessible. This combination indicates PowerShell code that’s using WMI to create a shadow copy that can be accessed by the client.

While VSS is a legitimate Windows feature, its use through PowerShell is uncommon in routine operations. Attackers frequently abuse this functionality to access locked system files like NTDS.dit (Active Directory database) and registry hives containing credential information. By creating shadow copies, attackers can bypass file locks and access sensitive files that would otherwise be unavailable for reading.

Triage & Response

• Identify the user account that executed the PowerShell shadow copy command on {{host}}.
• Determine if the account has legitimate administrative permissions to perform this action.
• Review access logs to domain controllers if Active Directory database access is suspected.
• Check for subsequent file access or copy operations targeting the shadow copy.
• Examine additional PowerShell commands executed before and after the shadow copy creation.
• Look for evidence of access to sensitive files like NTDS.dit, SAM, or SYSTEM registry hives.
• Verify if any data exfiltration occurred following the shadow copy creation.
• Assess whether the shadow copy creation was part of authorized system administration or backup procedures.
• Reset credentials for any accounts involved if unauthorized activity is confirmed.