.. /Vshadow.exe
Star

VShadow is a command-line tool that can be used to create and manage volume shadow copies.

Paths:

C:\Program Files (x86)\Windows Kits\10\bin\10.0.XXXXX.0\x64\vshadow.exe

Resources:

https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample

Acknowledgements:

Ayberk Halaç

Detection:

IOC: vshadow.exe usage with -exec parameter

Execute

Executes calc.exe from vshadow.exe.
```
vshadow.exe -nw -exec=c:\windows\system32\calc.exe C:
```
Use case
Performs execution of specified executable file.

Privileges required
Administrator

Operating systems
Windows 10, Windows 11

ATT&CK® technique
T1127