LOLBAS/yml/OSBinaries/Diskshadow.yml

36 lines
1.3 KiB
YAML

---
Name: Diskshadow.exe
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
Author: 'Oddvar Moe'
Created: '2018-05-25'
Commands:
- Command: diskshadow.exe /s c:\test\diskshadow.txt
Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit
Category: Dump
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows server
- Command: diskshadow> exec calc.exe
Description: Execute commands using diskshadow.exe to spawn child process
Usecase: Use diskshadow to bypass defensive counter measures
Category: Execute
Privileges: User
MitreID: T1003
MitreLink: https://attack.mitre.org/wiki/Technique/T1003
OperatingSystem: Windows server
Full Path:
- Path: C:\Windows\System32\diskshadow.exe
- Path: C:\Windows\SysWOW64\diskshadow.exe
Code Sample:
- Code:
Detection:
- IOC: Child process from diskshadow.exe
- IOC: Diskshadow reading input from file
Resources:
- Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---