.. /Vshadow.exe
VShadow is a command-line tool that can be used to create and manage volume shadow copies.
Paths:
- C:\Program Files (x86)\Windows Kits\10\bin\10.0.XXXXX.0\x64\vshadow.exe
Resources:
Detection:
- IOC: vshadow.exe usage with -exec parameter
Execute
Executes calc.exe from vshadow.exe.
vshadow.exe -nw -exec=c:\windows\system32\calc.exe C:
Usecase: Performs execution of specified executable file.
Privileges required: Administrator
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1127