(CAPA) CAPA_resize_volume_shadow_copy_storage

Download Raw

rule:
  meta:
    name: resize volume shadow copy storage
    namespace: impact/inhibit-system-recovery
    author: michael.hunhoff@mandiant.com
    scope: basic block
  features:
    - and:
      - api: kernel32.DeviceIoControl
      - number: 0x53C028 = IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE

Associated Techniques