Merge pull request ctxis#164 from kevross33/patch-93

Powershell shadowcopy modification into Curtain
enzok · Oct 3, 2019 · b44083f · b44083f
2 parents aff5955 + 3723251
commit b44083f
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/modules/processing/curtain.py b/modules/processing/curtain.py
@@ -114,6 +114,8 @@ def buildBehaviors(entry, behaviorTags):
 
     behaviorCol["Token Manipulation"] = [["CreateProcessWithTokenA"],["CreateProcessWithTokenW"],["AdjustTokenPrivileges"],["DuplicateToken"],["OpenProcessToken"],["WTSQueryUserToken"]]
 
+    behaviorCol["Modifies Shadowcopy"] = [["Win32_Shadowcopy"]]
+
     for event in entry:
         for message in entry[event]:
             message = entry[event][message]