Suspicious Writes To System Volume Information

Description

This search detects writes to the 'System Volume Information' folder by something other than the System process.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics

Alert Volume

This search detects writes to the 'System Volume Information' folder by something other than the System process.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Masquerading

Masquerading

MITRE Threat Groups

APT32
BRONZE BUTLER
Dragonfly 2.0
Windshift
menuPass

Data Sources

Endpoint Detection and Response

   Help

Suspicious Writes To System Volume Information Help

You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

   Search

Open in Search