u0m3 Posted February 11, 2018 Report Posted February 11, 2018 Synopsis: Vshadow (vshadow.exe) is a command line utility for managing volume shadow copies. This tool is included within the Windows SDK and is signed by Microsoft. Vshadow has a lot of functionality, including the ability to execute scripts and invoke commands in support of volume shadow snapshot management. Not surprisingly, these capabilities can be abused for privileged-level evasion, persistence, and file extraction. Link: https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/ Via: Quote
