Copy From VolumeShadowCopy Via Cmd.EXE

About the rule

Rule Type

Standard

Rule Description

Attackers often leverage Windows' built-in Volume Shadow Copy Service to access backed-up versions of sensitive files such as the SAM, SYSTEM, or SECURITY hives. This rule detects the use of cmd.exe to copy data directly from \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy paths, which may indicate an attempt to exfiltrate credentials or bypass real-time monitoring. Since Volume Shadow Copies are snapshots of the file system, this technique enables threat actors to evade traditional logging or file lock mechanisms, making it a stealthy method of data access and credential harvesting.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Discovery → Privilege Escalation → Credential Access → Command and Scripting Interpreter (cmd.exe) → Access to Volume Shadow Copy → File Exfiltration or Offline Credential Dumping

Impact

• Credential Theft
• Privilege Escalation
• Lateral Movement
• Data Exfiltration

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Inhibit System Recovery (T1490)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

PR.AC-01: Identities and credentials are managed for authorized devices and users.
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

By triggering on file access from Volume Shadow Copy using cmd.exe, this rule allows you to detect stealthy credential access attempts and unauthorized data retrieval.

Author

Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)

Future actions

Known False Positives

This rule may be triggered during legitimate system maintenance or forensic activities.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Determine whether the access to the Volume Shadow Copy was initiated by an authorized user or process.
• Analysis: Investigate the specific files accessed—especially if they include sensitive ones like SAM, SYSTEM, or ntds.dit.
• Response: Isolate the affected system, terminate any malicious processes and initiate a credential reset for affected accounts.
• Implement strict access policies: Restrict access to Volume Shadow Copies to only trusted administrators.

Mitigation