16Şub
SACL for shadow copies
I'm researching the topic of detecting registry dump from disk shadow copies and realize that I don't see any specific events in the Windows and Sysmon logs. I tried a simple copy with the command:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM
Also tried PoC of the HiveNightmare vulnerability, the logs only show the start of the process, maybe there are some detection options?