From 37232518f5fa55af90ee23ca9250d481b35c2abf Mon Sep 17 00:00:00 2001
From: kevross33 <kevross33@gmail.com>
Date: Thu, 3 Oct 2019 10:59:11 +0100
Subject: [PATCH] Powershell shadowcopy modification into Curtain

---
 modules/processing/curtain.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/processing/curtain.py b/modules/processing/curtain.py
index fba5fc053..8c830f042 100644
--- a/modules/processing/curtain.py
+++ b/modules/processing/curtain.py
@@ -114,6 +114,8 @@ def buildBehaviors(entry, behaviorTags):
 
     behaviorCol["Token Manipulation"] = [["CreateProcessWithTokenA"],["CreateProcessWithTokenW"],["AdjustTokenPrivileges"],["DuplicateToken"],["OpenProcessToken"],["WTSQueryUserToken"]]
 
+    behaviorCol["Modifies Shadowcopy"] = [["Win32_Shadowcopy"]]
+
     for event in entry:
         for message in entry[event]:
             message = entry[event][message]