Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files that may contain credential information.
Rule type: eql
Risk score: 47
Runs every: 5m
Maximum alerts per execution: 100
- Threat Detection
- Credential Access
- Austin Songer
Rule license: Elastic License v2
process where event.type in ("start", "process_started") and process.pe.original_file_name == "Cmd.Exe" and process.args : "*mklink*" and process.args : "*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*"
Framework: MITRE ATT&CKTM