Name:Suspicious writes to System Volume Information id:cd6297cd-2bdd-4aa1-84aa-5d2f84228fac version:4 date:2024-10-17 author:Rico Valdez, Splunk status:deprecated type:Hunting Description:This search detects writes to the 'System Volume Information' folder by something other than the System process. Data_source:
-Sysmon EventID 1
search:(`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\ Volume Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_writes_to_system_volume_information_filter`
how_to_implement:You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives:It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate. References: drilldown_searches:
: tags: analytic_story: - 'Collection and Staging' asset_type:Windows confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1036' observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' risk_score:25 security_domain:endpoint
