```yaml title: Shadow Copy Access via LOLbin Parents id: edr-win-cred-shadow-copy-abuse status: stable description: > Identifies LOLbin parents spawning tools to manipulate Volume Shadow Copies for credential dumping or recovery inhibition. Catches vssadmin, certutil -encode, ntdsutil ifm, diskshadow, wmic shadowcopy, and esentutl /vss from shell or WinRM contexts. Covers both credential extraction (T1003.002/003) and pre-encryption VSS manipulation. references: - https://attack.mitre.org/techniques/T1003/002/ - https://attack.mitre.org/techniques/T1003/003/ - https://attack.mitre.org/techniques/T1490/ author: ShroudCloud date: 2026/04/16 tags: - attack.credential_access - attack.execution - attack.defense_evasion - attack.t1003.002 - attack.t1003.003 - attack.t1047 - attack.t1218 - attack.t1490 logsource: category: process_creation product: windows detection: selection_parent: ParentImage|endswith: - '\cmd.exe' - '\wscript.exe' - '\cscript.exe' - '\rundll32.exe' - '\regsvr32.exe' - '\wmic.exe' - '\mshta.exe' - '\powershell.exe' - '\pwsh.exe' - '\powershell_ise.exe' - '\wmiprvse.exe' - '\wsmprovhost.exe' - '\winrshost.exe' selection_vssadmin: Image|endswith: '\vssadmin.exe' CommandLine|contains: 'delete shadows' selection_certutil: Image|endswith: '\certutil.exe' CommandLine|contains: '-encode' selection_ntdsutil: Image|endswith: '\ntdsutil.exe' CommandLine|contains: 'ifm' selection_diskshadow: Image|endswith: '\diskshadow.exe' CommandLine|contains: 'list shadows' selection_wmic: Image|endswith: '\wmic.exe' CommandLine|contains: 'shadowcopy' selection_esentutl: Image|endswith: '\esentutl.exe' CommandLine|contains: '/vss' filter_tss: CommandLine|contains: 'tss.ps1' condition: selection_parent and (selection_vssadmin or selection_certutil or selection_ntdsutil or selection_diskshadow or selection_wmic or selection_esentutl) and not filter_tss falsepositives: - Legitimate backup/admin operations with explicit scheduling context level: high ```