Sensitive File Access Via Volume Shadow Copy Backup (f57f8d16-1f39-4dcb-a604-6c73d9b54b3d)
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Sensitive File Access Via Volume Shadow Copy Backup (f57f8d16-1f39-4dcb-a604-6c73d9b54b3d) | Sigma-Rules | Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) | Attack Pattern | 1 |