Skip to content

Hide Navigation Hide TOC

VSSAudit Security Event Source Registration (e9faba72-4974-4ab2-a4c5-46e25ad59e9b)

Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.

Cluster A Galaxy A Cluster B Galaxy B Level
VSSAudit Security Event Source Registration (e9faba72-4974-4ab2-a4c5-46e25ad59e9b) Sigma-Rules Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2