VolumeShadowCopy Symlink Creation Via Mklink

About the rule

Rule Type

Standard

Rule Description

This rule detects the creation of symbolic links to Volume Shadow Copies using the Windows mklink command. Attackers abuse this technique to access backed-up versions of files—such as sensitive data or registry hives—without triggering file locks or alerts. By creating a symlink to \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy, adversaries can exfiltrate or manipulate historical data, often bypassing EDR and backup protections. This method is commonly used in post-exploitation stages for credential dumping or stealthy data access and is a strong indicator of privilege misuse or lateral movement preparation.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Privilege escalation → Execution → mklink used to create symlink to Volume Shadow Copy → Access to backed-up files → Credential dumping or data exfiltration → Persistence or lateral movement

Impact

• Persistence enablement
• Data exfiltration
• Defense evasion
• Credential theft

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Credential Access: OS Credential Dumping - NTDS (T1003.003)
Credential Access: OS Credential Dumping - Security Account Manager (T1003.002)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

PR.PS-01: Configuration management practices are established and applied
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified of unauthorized access attempts to sensitive backup data, helping maintain system integrity and monitor potential misuse of administrative tools like mklink.

Author

Teymur Kheirkhabarov, oscd.community

Future actions

Known False Positives

Legitimate backup or forensic tools may use mklink to access Volume Shadow Copies for data recovery, compliance, or analysis purposes. System administrators or IT support teams performing sanctioned recovery operations might also trigger this rule.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Check if the source process has elevated privileges or comes from an unusual user account.
• Analysis: Look for follow-up activity such as credential dumping, registry hive access, or lateral movement attempts.
• Response: Isolate the host, terminate associated processes, and revoke any potentially compromised credentials. Review recent VSS (Volume Shadow Copy) activity and audit for unauthorized access attempts.
• Restrict access : Limit access to mklink and VSS paths to trusted users and processes.

Mitigation