Creation of Shadow Copy
Monitor for signs that Vssadmin or Wmic has been used to create a shadow copy.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2019-12-10
- Author: Patrick Bareiss, Splunk
- ID: eb120f5f-b879-4a63-97c1-93352b5df844
Kill Chain Phase
- Actions on Objectives
- CIS 8
- CIS 16
1 2 3 4 5 6 | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter`
The SPL above uses the following Macros:
creation_of_shadow_copy_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Supported Add-on (TA)
List of Splunk Add-on’s tested to work with the analytic.
List of fields required to use this analytic.
How To Implement
You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.
Known False Positives
Legitimate administrator usage of Vssadmin or Wmic will create false positives.
Associated Analytic Story
|81.0||90||90||An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Replay any dataset to Splunk Enterprise by using our
replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1