Symbolic Link to Shadow Copy Created

edit

Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Credential Access

Version: 3 (version history)

Added (Elastic Stack release): 8.0.0

Last modified (Elastic Stack release): 8.2.0

Rule authors: Elastic, Austin Songer

Rule license: Elastic License v2

Potential false positives

edit

Legitimate administrative activity related to shadow copies.

Investigation guide

edit
## Triage and analysis

### Investigating Symbolic Link to Shadow Copy Created

Shadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt
to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active
Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is
needed to extract these hashes and potentially conduct lateral movement.

#### Possible investigation steps

- Determine if a volume shadow copy was recently created on this endpoint.
- Review priviledges of the end user as this requires administrative access.
- Verify if the ntds.dit file was successfully copied and determine its copy destination.
- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.
- Investigate recent deletions of volume shadow copies.
- Identify other files potentially copied from volume shadow copy paths directly.

### False positive analysis

- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.

### Related rules

- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f

### Response and remediation

- Initiate the incident response process based on the outcome of the triage.
- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
- If the entire domain or the `krbtgt` user was compromised:
  - Activate your incident response plan for total Active Directory compromise which should include, but not be limited
  to, a password reset (twice) of the `krbtgt` user.
- Locate and remove static files copied from volume shadow copies.
- Command-Line tool mklink should require administrative access by default unless in developer mode.

## Config

Ensure advanced audit policies for Windows are enabled, specifically:
Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)

```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
System Audit Policies >
Object Access >
Audit File System (Success,Failure)
Audit Handle Manipulation (Success,Failure)
```

This event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.
Direct access to a shell and calling symbolic link creation tools will not generate an event matching this rule.

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.

Rule query

edit
process where event.type in ("start","process_created") and
process.pe.original_file_name in ("Cmd.Exe","PowerShell.EXE") and
/* Create Symbolic Link to Shadow Copies */ process.args :
("*mklink*", "*SymbolicLink*") and process.command_line :
("*HarddiskVolumeShadowCopy*")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 3 (8.2.0 release)
  • Updated query, changed from:

    process where event.type in ("start", "process_started") and
    process.pe.original_file_name == "Cmd.Exe" and process.args :
    "*mklink*" and process.args :
    "*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*"
Version 2 (8.1.0 release)
  • Formatting only