Skip to content

Hide Navigation Hide TOC

Esentutl Volume Shadow Copy Service Keys (5aad0995-46ab-41bd-a9ff-724f41114971)

Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\Volume are captured.

Cluster A Galaxy A Cluster B Galaxy B Level
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Esentutl Volume Shadow Copy Service Keys (5aad0995-46ab-41bd-a9ff-724f41114971) Sigma-Rules 1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2