Modifying Volume Shadow Copy Service Permissions: An Atomic Test( ART )
Introduction
In the ever-evolving landscape of cybersecurity, continuous testing and improvement of our defenses are crucial. One such method of testing is through the Atomic Red Team tests, a collection of open-source, cross-platform tests that emulate adversary behaviors and techniques. Today, we’re highlighting a significant contribution to this framework by Sai Prashanth Pulisetti.
Sai Prashanth’s Contribution
Sai Prashanth Pulisetti, a security researcher and engineer, has recently contributed a new atomic test to the Atomic Red Team framework. The test is part of the T1490 — Inhibit System Recovery series, which simulates various methods that adversaries use to prevent or interfere with system recovery mechanisms.
The Atomic Test
The atomic test contributed by Prashanth is named “Modify VSS Service Permissions”. This test alters the security settings of the Volume Shadow Copy Service (VSS) by modifying its permissions. The specific permissions set by the command are as follows:
- Deny Generic All (GA) permissions to Network Users (NU)
- Deny GA permissions to Everyone (WD)
- Deny GA permissions to Anonymous (AN)
- Allow Full Access (FA) and Generic All (GA) permissions to Everyone (WD) in System ACL (SACL)
- Allow Object Inherit and Inherit Only (OIIO) Full Access (FA) and GA permissions to Everyone (WD) in SACL
These permissions can significantly restrict VSS functionalities, including backup and restore operations. As such, it is essential to run this test only in a controlled environment with administrative privileges.
The Command
The command used to modify the VSS permissions is as follows:
sc sdset VSS D:(D;;GA;;;NU)(D;;GA;;;WD)(D;;GA;;;AN)S:(AU;FA;GA;;;WD)(AU;OIIOFA;GA;;;WD)
This command uses the sc
utility, a command-line program used for communicating with the Service Control Manager and services. The sdset
option is used to set the security descriptor of a service. The security descriptor string specifies the new permissions.
Cleanup
After running the test, it’s crucial to reset the VSS permissions to ensure the system’s backup and recovery capabilities remain functional. The cleanup command is:
sc sdset VSS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
This command resets VSS permissions to a common default configuration, which should be verified against your specific system’s configuration.
Yaml
atomic-red-team/atomics/T1490/T1490.yaml at master · redcanaryco/atomic-red-team (github.com)
- name: "Modify VSS Service Permissions"
auto_generated_guid: a4420f93-5386-4290-b780-f4f66abc7070
description: |
This atomic test alters the security settings of the Volume Shadow Copy Service (VSS) by modifying its permissions, potentially impacting system recovery operations. The specific permissions set by the command are as follows:
- Deny Generic All (GA) permissions to Network Users (NU)
- Deny GA permissions to Everyone (WD)
- Deny GA permissions to Anonymous (AN)
- Allow Full Access (FA) and Generic All (GA) permissions to Everyone (WD) in System ACL (SACL)
- Allow Object Inherit and Inherit Only (OIIO) Full Access (FA) and GA permissions to Everyone (WD) in SACL
These permissions can significantly restrict VSS functionalities, including backup and restore operations. As such, it is essential to run this test only in a controlled environment with administrative privileges.
A cleanup command is provided to reset VSS permissions to a common default configuration, which should be verified against your specific system's configuration. It's crucial to use this cleanup command after testing to ensure the system's backup and recovery capabilities remain functional. Running this test on a production system or critical environment is not recommended without proper precautions and a robust recovery plan.
supported_platforms:
- windows
executor:
name: "command_prompt"
elevation_required: true
command: |
sc sdset VSS D:(D;;GA;;;NU)(D;;GA;;;WD)(D;;GA;;;AN)S:(AU;FA;GA;;;WD)(AU;OIIOFA;GA;;;WD)
cleanup_command: |
sc sdset VSS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Installing Atomic Red Team
If you’re interested in running this test or exploring more atomic tests, you’ll need to install Atomic Red Team. You can find the installation instructions on their GitHub page here.
Installing Atomic Red Team · redcanaryco/invoke-atomicredteam Wiki (github.com)
Caution
Running this test on a production system or critical environment is not recommended without proper precautions and a robust recovery plan. Always understand the potential impacts and have a recovery plan in place before running any tests.
Absolutely, here’s a closing line for your blog post:
Conclusion
Thank you for taking the time to read this blog post. If you found it informative and helpful, please share it with your colleagues, friends, and fellow cybersecurity enthusiasts. Your support helps us spread awareness and contributes to a safer digital world. Remember, knowledge is power, and sharing is caring. Stay safe and keep testing! 🛡️