Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction
Tags
attack-pattern: Malware - T1587.001 Malware - T1588.001 Ntds - T1003.003 Password Cracking - T1110.002 Software - T1592.002 Tool - T1588.002
Show in Graph
Common Information
Type Value
UUID ce7ea3ca-afbe-4558-8829-0a3a2ff44ef9
Fingerprint 7501e91704aa3691
Analysis status DONE
Considered CTI value 0
Text language
Published Feb. 10, 2018, 1 a.m.
Added to db Jan. 18, 2023, 9:12 p.m.
Last updated Nov. 17, 2024, 6:55 p.m.
Headline bohops
Title Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction
Detected Hints/Tags/Attributes 41/1/13
Source URLs
Redirection Url
Details Source https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/
URL Provider
Details Provider Source level domain
Details bohops.com bohops.com
Attributes
Details Type #Events CTI Value
Details Domain 2 
blog.microsoft.com
Details Domain 88 
secretsdump.py
Details Domain 30 
adsecurity.org
Details File 3 
vshadow.exe
Details File 380 
notepad.exe
Details File 33 
c:\windows\system32\notepad.exe
Details File 23 
vssvc.exe
Details File 85 
secretsdump.py
Details File 2 
dit.bak
Details File 165 
reg.exe
Details File 1 
c:\system.bak
Details File 2 
system.bak
Details Windows Registry Key 41 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run