Volume Shadow Copy Extraction
"Leveraging VSS to extract sensitive system files and database snapshots from live Windows Server instances."
Volume Shadow Copy (VSS) Extraction
Volume Shadow Copy Service (VSS) is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use.
The Attacker's Perspective
VSS is a goldmine for attackers because it allows them to copy files that are normally locked by the operating system, such as:
SAMandSYSTEMhives.NTDS.dit(Active Directory Database).- Locked log files.
Extraction Methodology
Using vssadmin
The built-in vssadmin tool is the most common way to interact with shadow copies.
# Create a new shadow copy of the C drive
vssadmin create shadow /for=C:
# List existing shadow copies
vssadmin list shadows
Accessing the Snapshot
Once a shadow copy is created, it can be accessed via its global root path.
# Copy the NTDS.dit from the shadow copy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit
!TIP Using
vssadminoften triggers EDR alerts. Consider using more stealthy methods likentdsutilor raw disk access if possible.
Detecting VSS Abuse
Defenders should monitor for:
- vssadmin Execution: Especially with
create shadowordelete shadowsarguments. - Unauthorized access to GLOBALROOT: Accessing volume shadow copy device paths.
- Volume Creation Events: Event ID 7036 or similar VSS service start/stop events.
Best Practices
- Restrict Local Admin: VSS operations require high privileges. Limiting who has local admin rights is the first line of defense.
- Audit Backup Operations: Ensure only authorized backup software is interacting with VSS.