vssadmin.exe

• File Path: C:\windows\SysWOW64\vssadmin.exe
• Description: Command Line Interface for Microsoft Volume Shadow Copy Service

Hashes

Type	Hash
MD5	9CB8ACC3ACF20C07D99DC41D5E44BAFA
SHA1	712E763B1DB0B417F3450D76BC63FB784898972E
SHA256	EA45BFBE5AACE1F1BF9184EE4053ABABB82538449DF7F9B1B73F62EB1A5741B2
SHA384	E7A1657A1D16FE42341FE1D3FAD17892AC9A1406881F3201AC9E504F8F0901ACA50CD3BFCECE98D7A893F3D65171B23B
SHA512	7DCD7EBB115417944ACB5F3488E33730775B149FCABE59766FD8E730A7AD616072F01C588BFA30E9BCC3BA7786CE5DFB61E2A582FA3741E0E3281491EED51D64
SSDEEP	1536:LG4LJsRI4N89we2hiSx7AfHIxshncmwpeqZJ1B+BLCoGsWbpB+WeAJQr2q5VZDoj:LG4LJaNKwe2hX4efW2bp4Wev9VZcZq

Signature

• Status: The file C:\windows\SysWOW64\vssadmin.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
• Serial: ``
• Thumbprint: ``
• Issuer:
• Subject:

File Metadata

• Original Filename: VSSADMIN.EXE.MUI
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
• Product Version: 6.3.9600.16384
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of vssadmin.exe being misused. While vssadmin.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	godmode_sigma_rule.yml	- 'vssadmin delete shadows' # Ransomware	DRL 1.0
sigma	sysmon_suspicious_remote_thread.yml	- '\vssadmin.exe'	DRL 1.0
sigma	win_susp_vssadmin_ntds_activity.yml	- https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/	DRL 1.0
sigma	win_susp_vssadmin_ntds_activity.yml	- vssadmin.exe Delete Shadows	DRL 1.0
sigma	win_susp_vssadmin_ntds_activity.yml	- 'vssadmin create shadow /for=C:'	DRL 1.0
sigma	win_susp_vssadmin_ntds_activity.yml	- 'vssadmin delete shadows /for=C:'	DRL 1.0
sigma	proc_creation_win_apt_hafnium.yml	- 'vssadmin list shadows'	DRL 1.0
sigma	proc_creation_win_malware_conti.yml	- 'vssadmin list shadows'	DRL 1.0
sigma	proc_creation_win_multiple_suspicious_cli.yml	- vssadmin.exe	DRL 1.0
sigma	proc_creation_win_shadow_copies_creation.yml	- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/	DRL 1.0
sigma	proc_creation_win_shadow_copies_creation.yml	- '\vssadmin.exe'	DRL 1.0
sigma	proc_creation_win_shadow_copies_deletion.yml	- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/	DRL 1.0
sigma	proc_creation_win_shadow_copies_deletion.yml	- '\vssadmin.exe'	DRL 1.0
sigma	proc_creation_win_shadow_copies_deletion.yml	Image\|endswith: '\vssadmin.exe'	DRL 1.0
sigma	proc_creation_win_susp_system_user_anomaly.yml	- 'vssadmin delete shadows' # Ransomware	DRL 1.0
sigma	proc_creation_win_webshell_detection.yml	- '\vssadmin.exe'	DRL 1.0
LOLBAS	Wmic.yml	- Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
atomic-red-team	index.md	- Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1003.003.md	- Atomic Test #1 - Create Volume Shadow Copy with vssadmin	MIT License. © 2018 Red Canary
atomic-red-team	T1003.003.md	## Atomic Test #1 - Create Volume Shadow Copy with vssadmin	MIT License. © 2018 Red Canary
atomic-red-team	T1003.003.md	vssadmin.exe create shadow /for=#{drive_letter}	MIT License. © 2018 Red Canary
atomic-red-team	T1003.003.md	This test requires steps taken in the test “Create Volume Shadow Copy with vssadmin”.	MIT License. © 2018 Red Canary
atomic-red-team	T1003.003.md	echo Run “Invoke-AtomicTest T1003.003 -TestName ‘Create Volume Shadow Copy with vssadmin’” to fulfill this requirement	MIT License. © 2018 Red Canary
atomic-red-team	T1490.md	* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet	MIT License. © 2018 Red Canary
atomic-red-team	T1490.md	vssadmin.exe delete shadows /all /quiet	MIT License. © 2018 Red Canary
atomic-red-team	T1490.md	if(!(vssadmin.exe list shadows | findstr “No items found that satisfy the query.”)) { exit 0 } else { exit 1 }	MIT License. © 2018 Red Canary
atomic-red-team	T1490.md	vssadmin.exe create shadow /for=c:	MIT License. © 2018 Red Canary
signature-base	apt_grizzlybear_uscert.yar	$b = “vssadmin delete shadows” ascii wide nocase	CC BY-NC 4.0
signature-base	crime_ransom_germanwiper.yar	$KillShadowCopies = “vssadmin.exe delete shadows” ascii	CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

vssadmin

Applies to: Windows Server 2022, Windows Server 2019, Windows 10, Windows 8.1, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008

Displays current volume shadow copy backups and all installed shadow copy writers and providers. Select a command name in the following table view its command syntax.

Command	Description	Availability
vssadmin delete shadows	Deletes volume shadow copies.	Client and Server
vssadmin list shadows	Lists existing volume shadow copies.	Client and Server
vssadmin list writers	Lists all subscribed volume shadow copy writers on the system.	Client and Server
vssadmin resize shadowstorage	Resizes the maximum size for a shadow copy storage association.	Client and Server

Additional References

• Command-Line Syntax Key

---

MIT License. Copyright (c) 2020-2021 Strontic.