security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
blue-team-tools/rules/windows/process_creation/proc_creation_win_vshadow_exec.yml
T
Nasreddine Bencherchali 34c5d66c22 Merge PR #5966 from @nasbench - Update mitre tags to use attack v19 
chore: update mitre tags to use attack v19
2026-04-29 01:20:23 +02:00

30 lines
1.1 KiB
YAML
Raw Permalink Blame History

title: Proxy Execution via Vshadow
id: d7c75059-2901-4578-b209-8837fd31c6a8
status: experimental
description: |
Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.
VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,
attackers can leverage this parameter to proxy the execution of malware.
author: David Faiss
date: 2025-05-26
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/
- https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
tags:
- attack.stealth
- attack.t1202
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\vshadow.exe'
- OriginalFileName: 'vshadow.exe'
selection_cli:
CommandLine|contains: '-exec'
condition: all of selection_*
falsepositives:
- System backup or administrator tools
- Legitimate administrative scripts
level: medium
Reference in New Issue View Git Blame Copy Permalink