🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Key Insights:
  • Overview:
  • Practical Use Case:
  • Manual Examination:
  • Open Source Tools:
  • Security Considerations:

Was this helpful?

  1. Windows Artifacts
  2. Shadow Copies

VSC Permissions

Volume Shadow Copies (VSCs) are an essential part of Windows systems, providing the ability to create backup copies or snapshots of files or volumes. Managing access to these snapshots is crucial for security and data integrity. PowerShell offers tools to inspect and manage the permissions of shadow copies, ensuring that only authorized users and processes can access or modify them.

Key Insights:

  • Access Management: Permissions on a shadow copy determine which users or groups can access, modify, or delete the snapshots.

  • PowerShell Utilization: Get-VssShadowCopy and Get-VssShadowCopyAccess cmdlets in PowerShell are instrumental in listing shadow copies and their permissions.

Overview:

Permissions on VSCs are critical for securing backup data. By default, shadow copies might grant access to system administrators and the SYSTEM account, with more restrictive access for regular users. Understanding and managing these permissions is vital for preventing unauthorized access or modifications to shadow copies.

Listing Shadow Copies:

To list all shadow copies present on the system, use the Get-VssShadowCopy cmdlet. This command provides an overview of existing snapshots, which is the first step in auditing their access permissions.

Checking Permissions:

For a detailed look at the permissions of a specific shadow copy, the Get-VssShadowCopyAccess cmdlet comes into play. It allows administrators to query the access rights of different users and groups to a particular shadow copy.

Example Command:

Get-VssShadowCopyAccess -ID 1

Sample Output Explanation:

  • NT AUTHORITY\SYSTEM: This account has full control over the shadow copy, allowing it to perform any action, including modifications and deletions.

  • BUILTIN\Administrators: Members of the administrators group also have full control, reflecting their broad access rights on the system.

  • BUILTIN\Users: Regular users have read access, enabling them to view the contents of the shadow copy but not modify or delete it.

Practical Use Case:

A security administrator suspects unauthorized access to shadow copies. They use the Get-VssShadowCopy and Get-VssShadowCopyAccess cmdlets to audit the permissions of all snapshots. Discovering overly permissive access, the administrator then takes steps to restrict permissions, ensuring that only essential accounts and groups have the necessary access levels.

Manual Examination:

To manually check VSC permissions:

  1. List all shadow copies on the system with Get-VssShadowCopy.

  2. For each shadow copy of interest, use Get-VssShadowCopyAccess -ID <ShadowCopyID> to view its permissions.

  3. Analyze the output to determine if the access levels are appropriate for your security policies.

Open Source Tools:

While the specific cmdlets Get-VssShadowCopy and Get-VssShadowCopyAccess might not be standard PowerShell commands and could require custom scripts or modules, PowerShell itself is a powerful tool for managing VSC permissions. There are no direct open-source alternatives for these cmdlets, but PowerShell scripts and third-party tools can be developed or used for similar purposes.

Security Considerations:

  • Least Privilege: Ensure that shadow copy permissions adhere to the principle of least privilege, limiting full control to essential accounts.

  • Monitoring: Implement monitoring for changes to shadow copy permissions to detect unauthorized modifications.

PreviousShadow CopiesNextEvent ID 8193: Volume Shadow Copy Service Error

Last updated 1 year ago

Was this helpful?