Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
The LOLBAS can achieve abritrary code execution.
Execute commands using diskshadow.exe to spawn child processUsecase:Use diskshadow to bypass defensive counter measures
diskshadow> exec calc.exe
The LOLBAS can be used to dump process.
Execute commands using diskshadow.exe from a prepared diskshadow script.Usecase:Use diskshadow to exfiltrate data from VSS such as NTDS.dit
diskshadow.exe /s c:\test\diskshadow.txt