Process

unknown

diskshadow.exe

diskshadow.exe is a tool for working with Volume Shadow Copies, able to run a scripted sequence of shadow operations. Administrators and backup software use it to create and mount snapshots. Attackers use it to expose locked files like the Active Directory database, and to delete shadow copies, all from a scriptable signed binary.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS2
  • diskshadow.exe /s {PATH:.txt}Dump · Use diskshadow to exfiltrate data from VSS such as NTDS.dit
  • diskshadow> exec {PATH:.exe}Execute · Use diskshadow to bypass defensive counter measures

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

diskshadow.exe drives the Volume Shadow Copy Service and can run interactively or from a script file. A script chains commands such as set context, create, expose, and delete shadows, which lets it create a snapshot, mount it as a drive letter, and operate on it without interactive input. It requires administrative rights and lives at C:\Windows\System32\diskshadow.exe.

Legitimately, diskshadow is used by backup and storage tooling to manage snapshots, which is uncommon on ordinary endpoints. The script or command sequence it runs is what gives an instance meaning.

Security notes

diskshadow.exe is a scriptable path to locked credential stores (T1003.003). A short script creates a shadow copy of the system volume, exposes it as a drive, and copies ntds.dit (on a domain controller) or the registry hives out of it, the same goal as the vssadmin and esentutl techniques but driven from a script file that can run non-interactively. Reading ntds.dit from an exposed shadow is the pattern.

It can also delete shadow copies, contributing to recovery inhibition (T1490) like vssadmin delete shadows. Because diskshadow is a legitimate, signed tool and snapshot work is rare on endpoints, the script it runs and the parent that launched it are what separate backup administration from credential theft or ransomware preparation.

Anomaly signals5
  • Image path other than C:\Windows\System32\diskshadow.exehigh
  • A script that creates and exposes a shadow copy of the system volumehigh
  • Reads of ntds.dit or registry hives from an exposed shadow pathhigh
  • delete shadows removing snapshotshigh
  • Parent is cmd.exe, powershell.exe, or an unfamiliar processhigh

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof diskshadow.exe?
Edit this page on GitHub