SACL for shadow copies
I’m researching the topic of detecting registry dump from disk shadow copies and realize that I don’t see any specific events in the Windows and Sysmon logs.
I tried a simple copy with the command:
copy \\?\GLOBALROOT\Device\HarddiskVolume…