Copy From VolumeShadowCopy Via Cmd.EXE (c73124a7-3e89-44a3-bdc1-25fe4df754b1)
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Copy From VolumeShadowCopy Via Cmd.EXE (c73124a7-3e89-44a3-bdc1-25fe4df754b1) | Sigma-Rules | Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) | Attack Pattern | 1 |