Copy From VolumeShadowCopy Via Cmd.EXE (c73124a7-3e89-44a3-bdc1-25fe4df754b1)
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) | Attack Pattern | Copy From VolumeShadowCopy Via Cmd.EXE (c73124a7-3e89-44a3-bdc1-25fe4df754b1) | Sigma-Rules | 1 |