Shadow Copies

The Volume Shadow Service (VSS) in Windows allows for the creation of snapshots of volumes or files. An attacker can leverage the vshadow utility to create a shadow copy of the AD database, ntds.dit, from a DC. After extracting the database and SYSTEM hive, they can use tools like impacket-secretsdump to dump user credentials, including NTLM hashes and Kerberos keys, offline.

The SYSTEM Hive is a registry file that stores system-level information in Windows, which is required to successfully decrypt the ntds.dit database for credential extraction.

In our scenario we will login to DC1 as jeffadmin.

Create a shadow copy of the C: drive on DC1 with vshadow.exe (-nw disables writers, -p stores the copy on disk).

vshadow.exe -nw -p C:

DCSync with mimikatz is a stealthier method for extracting user hashes from a DC without leaving as obvious a trail.

PreviousSecurity Descriptors NextSilver Ticket

Last updated 9 months ago