![]() DiskShadow Command ExecutionĪs a feature, the interactive command interpreter and script mode support the EXEC command. This makes DiskShadow a very interesting candidate for command execution and evasive persistence. The VSS features of DiskShadow require privileged-level access (with UAC elevation), however, several command utilities can be invoked by a non-privileged user. DiskShadow also includes a scriptable mode.“ĭiskShadow is included in Windows Server 2008, Windows Server 2012, and Windows Server 2016 and is a Windows signed binary. By default, DiskShadow uses an interactive command interpreter similar to that of DiskRaid or DiskPart. “DiskShadow.exe is a tool that exposes the functionality offered by the Volume Shadow Copy Service (VSS). *Don’t mind the ridiculous title – it just seemed thematic □ What is DiskShadow? In this post, we will discuss DiskShadow, present relevant features and capabilities for offensive opportunities, and highlight IOCs for defensive considerations. In fairness, evasion and persistence are probably not the strong suits of Vshadow.exe, but some of those use cases may have more relevance in its replacement – DiskShadow.exe. This tool was quite interesting because it was yet another utility to perform volume shadow copy operations, and it had a few other features that could potentially support other offensive use cases. Not long ago, I blogged about Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |