EoP - Abusing Shadow Copies

Shadow Copy Exploitation in Elevation of Privilege (EoP)

Overview

Shadow Copies, managed by the Volume Shadow Copy Service (VSS), are system snapshots designed to preserve file states even during active use. While intended for legitimate backup and recovery purposes, attackers with local administrator privileges can abuse these snapshots to access sensitive files, bypass access controls, and escalate privileges.

Purpose of Shadow Copy Abuse in EoP

Exploiting Shadow Copies enables attackers to:

  • Retrieve sensitive files (e.g., SAM, SYSTEM, and SECURITY hives).

  • Bypass access controls, accessing data protected by higher privilege levels.

  • Extract configuration information or credentials to escalate control over the system.

Steps for Exploiting Shadow Copies

Step 1: Listing Available Shadow Copies

To exploit Shadow Copies, attackers first identify existing snapshots on the system.

Using vssadmin to List Shadow Copies

The vssadmin utility provides an overview of available Shadow Copies.

vssadmin list shadows

Sample Output:

Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
    Volume Name: \\?\Volume{f4b82791-0000-0000-0000-500600000000}\
    Shadow Copy Creation Time: 11/19/2024 02:15:32 PM
    Shadow Copy ID: {df4b8279-1234-5678-0000-00006b000000}

Using diskshadow to List All Shadow Copies

diskshadow provides a more detailed view of Shadow Copies.

diskshadow
DISKSHADOW> list shadows all

Sample Output:

* Shadow Copy ID: {12345678-1234-5678-1234-567812345678}
  Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
  Original Volume: (C:)\\?\Volume{abcd1234-abcd-1234-abcd-12345678abcd}\
  Creation Time: 11/19/2024 02:15:32 PM

Step 2: Creating a Symlink to Access Shadow Copy Data

Once a Shadow Copy is identified, attackers can create a symlink to directly access its contents.

Example Command to Create a Symlink

Assuming the target is HarddiskVolumeShadowCopy1:

mklink /d C:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

  • This command creates a directory symlink named C:\shadowcopy, providing direct access to the contents of the specified Shadow Copy.

  • Attackers can now explore or copy sensitive files by navigating to C:\shadowcopy.

Risks of Shadow Copy Exploitation

  1. Unauthorized Data Access

    • Attackers can view or copy sensitive system files, such as:

      • SAM, SYSTEM, and SECURITY hives (used for extracting credentials).

      • User profiles and sensitive documents.

  2. Security Bypass

    • Accessing files through symlinked Shadow Copies bypasses traditional file permission restrictions.

  3. Persistence

    • Shadow Copies may be leveraged as part of persistence mechanisms, allowing attackers to repeatedly access sensitive data.

Mitigation Strategies

To minimize the risks associated with Shadow Copy exploitation, implement the following measures:

1. Limit Administrator Access

  • Restrict local administrator privileges to essential personnel.

  • Enforce role-based access control (RBAC).

2. Monitor Shadow Copy Activity

  • Regularly review VSS activity logs for unusual behavior.

  • Investigate unexpected symlinks pointing to Shadow Copies.

3. Control Shadow Copy Creation

  • Limit the creation of Shadow Copies to essential use cases.

  • Configure retention policies for system backups to prevent unnecessary accumulation of snapshots.

4. Enhance File Protection

  • Use BitLocker or other encryption tools to protect sensitive files, ensuring that even if accessed, the data remains encrypted.

  • Restrict access to critical directories and implement file integrity monitoring.

Conclusion

Shadow Copy abuse represents a significant security risk in Windows environments. By understanding the methods attackers use to exploit this functionality and implementing robust mitigation strategies, organizations can minimize their exposure to Elevation of Privilege attacks.

PreviousEoP - RunasNextEoP - From local administrator to NT SYSTEM

Last updated