3.10.2.

vssadmin
Basic Information
Tool Name vssadmin Legend
Category Obtaining Active Directory database - Acquirable
Tool Overview Creates Volume Shadow Copy and extracts NTDS.DIT Information
Tool Example of
- Event ID/Item Name
- Field Name
Presumed Tool Use This tool is used to extract NTDS.DIT, a database for NTDS, so that the password can be analysed using other tools.
- "Field Value"
During an Attack
Authority Administrator
Targeted OS Windows Server
Operating Domain Required
Condition Communication
-
Protocol
Service Active Directory Domain Services
Information - The fact that the service has started and that a driver was installed on a storage device
Standard Settings
Acquired from - History of shadow copy creation
Log Additional Settings - Execution history (Sysmon / audit policy)
If the following log is in the event log, it is considered that a shadow copy was created.
Evidence That Can Be Confirmed - The Event ID 8222 is recorded in the event log "Security".
When Execution is Successful *Additionally, if a log indicating that files under C:\Windows\NTDS, which cannot be normally read, were copied (Event ID: 4663) is recorded, it is possible
that a shadow copy was used.

Points to be Confirmed
Log Generation Additional
Communication Log Type and Name Acquired Information Details
Location Settings

Event ID : 4688 (A new process has been created)

4689 (A process has exited)
- Process Information -> Process Name : "C:\Windows\System32\vssadmin.exe"

- Confirmable Information
- Process Start/End Time and Date: Log Date Required
- Name of User Who Executed the Process: Subject -> Account Name
- Domain of User Who Executed the Process: Subject -> Account Domain
- Process ID: Process Information -> New Process ID
- Presence of Privilege Escalation at Process Execution: Process Information -> Token Escalation Type
Event Log - Process Return Value: Process Information -> Exit Status
-
Security
Event ID : 8222 (A shadow copy was created)

- Confirmable Information
- Shadow Copy Name: Shadow Device Name
-
- Remarks
- If a log indicating that files under C:\Windows\NTDS, which cannot be normally read (event 4663) was successful, it is
considered that access was successful.
The content of an output log depends on the software used for copying. Note that outputting the event 4663 requires the audit of
object access.

Event ID : 7036
- Detailed Tab -> System\Provider\Name : "Service Control Manager"
- Details Tab -> EventData\param1 : "Volume Shadow Copy"
Active Directory
- - Confirmable Information
Domain Controller
- Executing the Service: Details Tab -> EventData\param2 ("Being executed" )

Event Log *If the Volume Shadow Copy service is already running, a log will not be output.
- -
System Event ID : 20001
- Detailed Tab -> System\Provider\Name : "Microsoft-Windows-UserPnp"

- Confirmable Information
- Process ID: System\Execution\ProcessID *Matches the process ID of drvinst.exe output in the Sysmon log.
- Snapshot Name: UserData\InstallDeviceID\DeviceInstanceID

*If a similar snapshot was mounted before, an event log may not be output.

Event ID : 1 (Process Create)

5 (Process Terminated)
- Image : "C:\Windows\System32\vssadmin.exe"
Event Log
- - Confirmable Information Required
Sysmon - Process Start/End Time and Date (UTC): UtcTime
- Process Command Line: CommandLine *Drives that are targeted for creating a shadow copy are recorded.
- User Name: User
- Process ID: ProcessId

Execution History Registry Entry: HKEY_LOCAL_MACHINE\CurrentControlSet\Enum

- \STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot[Snapshot Number] -
Registry - If drvinst.exe has been executed, a new key is created.

Remarks

Additional Event Logs That Can Be Output The fact that a driver was installed may be left in volsnap.inf as a difference. (*If a similar snapshot was mounted before, an event log may not be recorded.)

56