David Faiß
0e33642058
new: Proxy Execution via Vshadow - detect invocation of `vshadow.exe` with `-exec` to spot hidden malware execution --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
30 lines
1.1 KiB
YAML
30 lines
1.1 KiB
YAML
title: Proxy Execution via Vshadow
|
|
id: d7c75059-2901-4578-b209-8837fd31c6a8
|
|
status: experimental
|
|
description: |
|
|
Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.
|
|
VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,
|
|
attackers can leverage this parameter to proxy the execution of malware.
|
|
author: David Faiss
|
|
date: 2025-05-26
|
|
references:
|
|
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/
|
|
- https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
|
|
tags:
|
|
- attack.defense-evasion
|
|
- attack.t1202
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
selection_img:
|
|
- Image|endswith: '\vshadow.exe'
|
|
- OriginalFileName: 'vshadow.exe'
|
|
selection_cli:
|
|
CommandLine|contains: '-exec'
|
|
condition: all of selection_*
|
|
falsepositives:
|
|
- System backup or administrator tools
|
|
- Legitimate administrative scripts
|
|
level: medium
|