Modifying Volume Shadow Copy Service Permissions: An Atomic Test( ART )

Sai Prashanth Pulisetti
3 min readFeb 1, 2024

--

Modify VSS Service Permissions

Introduction

In the ever-evolving landscape of cybersecurity, continuous testing and improvement of our defenses are crucial. One such method of testing is through the Atomic Red Team tests, a collection of open-source, cross-platform tests that emulate adversary behaviors and techniques. Today, we’re highlighting a significant contribution to this framework by Sai Prashanth Pulisetti.

Sai Prashanth’s Contribution

Sai Prashanth Pulisetti, a security researcher and engineer, has recently contributed a new atomic test to the Atomic Red Team framework. The test is part of the T1490 — Inhibit System Recovery series, which simulates various methods that adversaries use to prevent or interfere with system recovery mechanisms.

The Atomic Test

The atomic test contributed by Prashanth is named “Modify VSS Service Permissions”. This test alters the security settings of the Volume Shadow Copy Service (VSS) by modifying its permissions. The specific permissions set by the command are as follows:

  • Deny Generic All (GA) permissions to Network Users (NU)
  • Deny GA permissions to Everyone (WD)
  • Deny GA permissions to Anonymous (AN)
  • Allow Full Access (FA) and Generic All (GA) permissions to Everyone (WD) in System ACL (SACL)
  • Allow Object Inherit and Inherit Only (OIIO) Full Access (FA) and GA permissions to Everyone (WD) in SACL

These permissions can significantly restrict VSS functionalities, including backup and restore operations. As such, it is essential to run this test only in a controlled environment with administrative privileges.

The Command

The command used to modify the VSS permissions is as follows:

sc sdset VSS D:(D;;GA;;;NU)(D;;GA;;;WD)(D;;GA;;;AN)S:(AU;FA;GA;;;WD)(AU;OIIOFA;GA;;;WD)

This command uses the sc utility, a command-line program used for communicating with the Service Control Manager and services. The sdset option is used to set the security descriptor of a service. The security descriptor string specifies the new permissions.

Cleanup

After running the test, it’s crucial to reset the VSS permissions to ensure the system’s backup and recovery capabilities remain functional. The cleanup command is:

sc sdset VSS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

This command resets VSS permissions to a common default configuration, which should be verified against your specific system’s configuration.

Yaml

atomic-red-team/atomics/T1490/T1490.yaml at master · redcanaryco/atomic-red-team (github.com)

- name: "Modify VSS Service Permissions"
auto_generated_guid: a4420f93-5386-4290-b780-f4f66abc7070
description: |
This atomic test alters the security settings of the Volume Shadow Copy Service (VSS) by modifying its permissions, potentially impacting system recovery operations. The specific permissions set by the command are as follows:
- Deny Generic All (GA) permissions to Network Users (NU)
- Deny GA permissions to Everyone (WD)
- Deny GA permissions to Anonymous (AN)
- Allow Full Access (FA) and Generic All (GA) permissions to Everyone (WD) in System ACL (SACL)
- Allow Object Inherit and Inherit Only (OIIO) Full Access (FA) and GA permissions to Everyone (WD) in SACL
These permissions can significantly restrict VSS functionalities, including backup and restore operations. As such, it is essential to run this test only in a controlled environment with administrative privileges.
A cleanup command is provided to reset VSS permissions to a common default configuration, which should be verified against your specific system's configuration. It's crucial to use this cleanup command after testing to ensure the system's backup and recovery capabilities remain functional. Running this test on a production system or critical environment is not recommended without proper precautions and a robust recovery plan.
supported_platforms:
- windows
executor:
name: "command_prompt"
elevation_required: true
command: |
sc sdset VSS D:(D;;GA;;;NU)(D;;GA;;;WD)(D;;GA;;;AN)S:(AU;FA;GA;;;WD)(AU;OIIOFA;GA;;;WD)
cleanup_command: |
sc sdset VSS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Installing Atomic Red Team

If you’re interested in running this test or exploring more atomic tests, you’ll need to install Atomic Red Team. You can find the installation instructions on their GitHub page here.

Installing Atomic Red Team · redcanaryco/invoke-atomicredteam Wiki (github.com)

Caution

Running this test on a production system or critical environment is not recommended without proper precautions and a robust recovery plan. Always understand the potential impacts and have a recovery plan in place before running any tests.

Absolutely, here’s a closing line for your blog post:

Conclusion

Thank you for taking the time to read this blog post. If you found it informative and helpful, please share it with your colleagues, friends, and fellow cybersecurity enthusiasts. Your support helps us spread awareness and contributes to a safer digital world. Remember, knowledge is power, and sharing is caring. Stay safe and keep testing! 🛡️

--

--

Sai Prashanth Pulisetti
Sai Prashanth Pulisetti

Written by Sai Prashanth Pulisetti

A security geek with 3 years of experience in various security tools and methodologies. I expedite analysing malware samples in both static & dynamic analysis.

No responses yet