Abusing Shadow Copies

If you have local administrator access on a machine try to list shadow copies, it's an easy way for Privilege Escalation.

  1. List shadow copies using vssadmin (Needs Admnistrator Access)

vssadmin list shadows

  1. List shadow copies using diskshadow

diskshadow list shadows all

  1. Make a symlink to the shadow copy and access it

mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

PreviousVulnerable DriversNextWindows Post-Explotation

Last updated