What defenses can be implemented to prevent abuse of Volume Shadow Copy in attacks?

The primary defense is to prevent attackers from gaining administrative privileges, as VSS exploitation requires admin rights. On individual hosts, disabling the Volume Shadow Copy service can block the technique, though this may affect System Restore. Enterprise defenders can monitor for indicators like execution of `vshadow.exe` (with command line `-p C:\`), creation of symbolic links via `mklink /D`, or processes launched from paths containing `HarddiskVolumeShadowCopy`—similar to monitoring for remote registry access or net session enumeration.