vssadmin.exe

  • File Path: C:\Windows\system32\vssadmin.exe
  • Description: Command Line Interface for Microsoft Volume Shadow Copy Service

Hashes

Type Hash
MD5 B58073DB8892B67A672906C9358020EC
SHA1 AAFE91BDC580260E4EF7FABC6B273FF0AE1E703F
SHA256 8C1FABCC2196E4D096B7D155837C5F699AD7F55EDBF84571E4F8E03500B7A8B0
SHA384 D05BD691914E58FBAA08F78D1E305782A4ADA5B3435841C3EC958FFB2562CD36C862AB116387B42040A79861944398FF
SHA512 84C3B17D84FB07F561F9ED53FF4CEF7EA155659F302631971F949999F2EAE87F7087DE2402B512714A0FBF4CCAFBAB2E0D015FAE508E96B783A9D894F6702BFA
SSDEEP 3072:o3mb3+xAIlxg9FTtLPQ0GGm47pylFHYcXZj5f0g8R:o3mb3+xNlx0T1PPm47pOFZZj5f0g8
IMP C1EDC431CD345F0A0F32019895D13FCE
PESHA1 D871D005C0231F4A849A873805E32F8F48E46631
PE256 5186EA897F6A878A05A1C6F4761AFE4AD621B4B522929430289B71B4E0CD4CB8

Runtime Data

Usage (stdout):

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Error: Invalid command.
 
---- Commands Supported ----

Delete Shadows        - Delete volume shadow copies
List Providers        - List registered volume shadow copy providers
List Shadows          - List existing volume shadow copies
List ShadowStorage    - List volume shadow copy storage associations
List Volumes          - List volumes eligible for shadow copies
List Writers          - List subscribed volume shadow copy writers
Resize ShadowStorage  - Resize a volume shadow copy storage association

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\vssadmin.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: VSSADMIN.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/8c1fabcc2196e4d096b7d155837c5f699ad7f55edbf84571e4f8e03500b7a8b0/detection

Possible Misuse

The following table contains possible examples of vssadmin.exe being misused. While vssadmin.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - 'vssadmin delete shadows' # Ransomware DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\vssadmin.exe' DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - vssadmin.exe Delete Shadows DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - 'vssadmin create shadow /for=C:' DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - 'vssadmin delete shadows /for=C:' DRL 1.0
sigma proc_creation_win_apt_hafnium.yml - 'vssadmin list shadows' DRL 1.0
sigma proc_creation_win_malware_conti.yml - 'vssadmin list shadows' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - vssadmin.exe DRL 1.0
sigma proc_creation_win_shadow_copies_creation.yml - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/ DRL 1.0
sigma proc_creation_win_shadow_copies_creation.yml - '\vssadmin.exe' DRL 1.0
sigma proc_creation_win_shadow_copies_deletion.yml - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/ DRL 1.0
sigma proc_creation_win_shadow_copies_deletion.yml - '\vssadmin.exe' DRL 1.0
sigma proc_creation_win_shadow_copies_deletion.yml Image\|endswith: '\vssadmin.exe' DRL 1.0
sigma proc_creation_win_susp_system_user_anomaly.yml - 'vssadmin delete shadows' # Ransomware DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\vssadmin.exe' DRL 1.0
LOLBAS Wmic.yml - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"  
atomic-red-team index.md - Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows] MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md - Atomic Test #1 - Create Volume Shadow Copy with vssadmin MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md ## Atomic Test #1 - Create Volume Shadow Copy with vssadmin MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md vssadmin.exe create shadow /for=#{drive_letter} MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md This test requires steps taken in the test “Create Volume Shadow Copy with vssadmin”. MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md echo Run “Invoke-AtomicTest T1003.003 -TestName ‘Create Volume Shadow Copy with vssadmin’” to fulfill this requirement MIT License. © 2018 Red Canary
atomic-red-team T1490.md * vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet MIT License. © 2018 Red Canary
atomic-red-team T1490.md vssadmin.exe delete shadows /all /quiet MIT License. © 2018 Red Canary
atomic-red-team T1490.md if(!(vssadmin.exe list shadows | findstr “No items found that satisfy the query.”)) { exit 0 } else { exit 1 } MIT License. © 2018 Red Canary
atomic-red-team T1490.md vssadmin.exe create shadow /for=c: MIT License. © 2018 Red Canary
signature-base apt_grizzlybear_uscert.yar $b = “vssadmin delete shadows” ascii wide nocase CC BY-NC 4.0
signature-base crime_ransom_germanwiper.yar $KillShadowCopies = “vssadmin.exe delete shadows” ascii CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


vssadmin

Applies to: Windows Server 2022, Windows Server 2019, Windows 10, Windows 8.1, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008

Displays current volume shadow copy backups and all installed shadow copy writers and providers. Select a command name in the following table view its command syntax.

Command Description Availability
vssadmin delete shadows Deletes volume shadow copies. Client and Server
vssadmin list shadows Lists existing volume shadow copies. Client and Server
vssadmin list writers Lists all subscribed volume shadow copy writers on the system. Client and Server
vssadmin resize shadowstorage Resizes the maximum size for a shadow copy storage association. Client and Server

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.