vssadmin.exe
- File Path:
C:\WINDOWS\system32\vssadmin.exe - Description: Command Line Interface for Microsoft Volume Shadow Copy Service
Hashes
| Type | Hash |
|---|---|
| MD5 | 02A10DBF904883B1F8EE9F3CC70F5EB8 |
| SHA1 | 980510AE54462EB2F892C002BB828EDB11D85C10 |
| SHA256 | ACDCC96D628EE8FF7F07FC5D795A05C22EB239BE0D44A9F01727B6124A9619A9 |
| SHA384 | 234CB59B7CC24A71E11EECD9D250DA3C1D5A3016DE9B0FC7BC0D6CAEBEADEF1A80EBBD24488C5CE59F6D295F2EAA5F48 |
| SHA512 | BF465F6FBEE3BA0865A90F461F7598E6113CE8986F2351DA3C5E2F50CDBA85D9C5FC5DD2C2FE54C1758FADB489DA9797A3C6328948795F8B9BD2D73B8D389D9A |
| SSDEEP | 3072:MNB9JdZjbn9OW4mPuZm47pyv7xp8AkTI5f0g8vY:Mn9JDHn9OW4mYm47pYEAkTI5f0g8v |
Runtime Data
Usage (stdout):
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Error: Invalid command.
---- Commands Supported ----
Delete Shadows - Delete volume shadow copies
List Providers - List registered volume shadow copy providers
List Shadows - List existing volume shadow copies
List ShadowStorage - List volume shadow copy storage associations
List Volumes - List volumes eligible for shadow copies
List Writers - List subscribed volume shadow copy writers
Resize ShadowStorage - Resize a volume shadow copy storage association
Signature
- Status: Signature verified.
- Serial:
330000023241FB59996DCC4DFF000000000232 - Thumbprint:
FF82BC38E1DA5E596DF374C53E3617F7EDA36B06 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: VSSADMIN.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.18362.1 (WinBuild.160101.0800)
- Product Version: 10.0.18362.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of vssadmin.exe being misused. While vssadmin.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | godmode_sigma_rule.yml | - 'vssadmin delete shadows' # Ransomware |
DRL 1.0 |
| sigma | sysmon_suspicious_remote_thread.yml | - '\vssadmin.exe' |
DRL 1.0 |
| sigma | win_susp_vssadmin_ntds_activity.yml | - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ |
DRL 1.0 |
| sigma | win_susp_vssadmin_ntds_activity.yml | - vssadmin.exe Delete Shadows |
DRL 1.0 |
| sigma | win_susp_vssadmin_ntds_activity.yml | - 'vssadmin create shadow /for=C:' |
DRL 1.0 |
| sigma | win_susp_vssadmin_ntds_activity.yml | - 'vssadmin delete shadows /for=C:' |
DRL 1.0 |
| sigma | proc_creation_win_apt_hafnium.yml | - 'vssadmin list shadows' |
DRL 1.0 |
| sigma | proc_creation_win_malware_conti.yml | - 'vssadmin list shadows' |
DRL 1.0 |
| sigma | proc_creation_win_multiple_suspicious_cli.yml | - vssadmin.exe |
DRL 1.0 |
| sigma | proc_creation_win_shadow_copies_creation.yml | - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/ |
DRL 1.0 |
| sigma | proc_creation_win_shadow_copies_creation.yml | - '\vssadmin.exe' |
DRL 1.0 |
| sigma | proc_creation_win_shadow_copies_deletion.yml | - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/ |
DRL 1.0 |
| sigma | proc_creation_win_shadow_copies_deletion.yml | - '\vssadmin.exe' |
DRL 1.0 |
| sigma | proc_creation_win_shadow_copies_deletion.yml | Image\|endswith: '\vssadmin.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_system_user_anomaly.yml | - 'vssadmin delete shadows' # Ransomware |
DRL 1.0 |
| sigma | proc_creation_win_webshell_detection.yml | - '\vssadmin.exe' |
DRL 1.0 |
| LOLBAS | Wmic.yml | - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit" |
|
| atomic-red-team | index.md | - Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.003.md | - Atomic Test #1 - Create Volume Shadow Copy with vssadmin | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.003.md | ## Atomic Test #1 - Create Volume Shadow Copy with vssadmin | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.003.md | vssadmin.exe create shadow /for=#{drive_letter} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.003.md | This test requires steps taken in the test “Create Volume Shadow Copy with vssadmin”. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.003.md | echo Run “Invoke-AtomicTest T1003.003 -TestName ‘Create Volume Shadow Copy with vssadmin’” to fulfill this requirement | MIT License. © 2018 Red Canary |
| atomic-red-team | T1490.md | * vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1490.md | vssadmin.exe delete shadows /all /quiet | MIT License. © 2018 Red Canary |
| atomic-red-team | T1490.md | if(!(vssadmin.exe list shadows | findstr “No items found that satisfy the query.”)) { exit 0 } else { exit 1 } | MIT License. © 2018 Red Canary |
| atomic-red-team | T1490.md | vssadmin.exe create shadow /for=c: | MIT License. © 2018 Red Canary |
| signature-base | apt_grizzlybear_uscert.yar | $b = “vssadmin delete shadows” ascii wide nocase | CC BY-NC 4.0 |
| signature-base | crime_ransom_germanwiper.yar | $KillShadowCopies = “vssadmin.exe delete shadows” ascii | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
vssadmin
Applies to: Windows Server 2022, Windows Server 2019, Windows 10, Windows 8.1, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008
Displays current volume shadow copy backups and all installed shadow copy writers and providers. Select a command name in the following table view its command syntax.
| Command | Description | Availability |
|---|---|---|
| vssadmin delete shadows | Deletes volume shadow copies. | Client and Server |
| vssadmin list shadows | Lists existing volume shadow copies. | Client and Server |
| vssadmin list writers | Lists all subscribed volume shadow copy writers on the system. | Client and Server |
| vssadmin resize shadowstorage | Resizes the maximum size for a shadow copy storage association. | Client and Server |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.