From f55d9d11317a0ccb0286f7513ada44fc4fc57d3a Mon Sep 17 00:00:00 2001
From: AyberkHalac <AyberkHalac@users.noreply.github.com>
Date: Tue, 3 Oct 2023 18:53:08 +0300
Subject: [PATCH] Adding vshadow.exe (#325)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OtherMSBinaries/vshadow.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 yml/OtherMSBinaries/vshadow.yaml

diff --git a/yml/OtherMSBinaries/vshadow.yaml b/yml/OtherMSBinaries/vshadow.yaml
new file mode 100644
index 0000000..25e53e7
--- /dev/null
+++ b/yml/OtherMSBinaries/vshadow.yaml
@@ -0,0 +1,21 @@
+---
+Name: vshadow.exe
+Description: VShadow is a command-line tool that can be used to create and manage volume shadow copies.
+Author: Ayberk Halaç
+Created: 2023-09-06
+Commands:
+  - Command: vshadow.exe -nw -exec=c:\windows\system32\calc.exe C:
+    Description: Executes calc.exe from vshadow.exe.
+    Usecase: Performs execution of specified executable file.
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1127
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.XXXXX.0\x64\vshadow.exe
+Detection:
+  - IOC: vshadow.exe usage with -exec parameter
+Resources:
+  - Link: https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
+Acknowledgement:
+  - Person: Ayberk Halaç