Vssadmin Shadow Copy
Configuring
No need to configure anything.
Attacking
How it works
With Domain Admin credentials it is possible to copy the NTDS.dit, SYSTEM and SECURITY hives remotely from the Domain Controller.
Tools
Executing the attack
The attack requires Domain Admin credentials and is a post exploitation attack to extract credentials.
Login to
WS01
as a normal user. For exampleRichard
and the passwordSample123
.Open PowerShell and Execute the following command to create a shadowcopy of the C: disk with the vssadmin utility.
3. Now we can copy the NTDS.dit, SYSTEM and SECURITY hives to the C:\temp
directory.
Make sure the C:\temp directory exists on the DC before executing this command!
4. The next step is to mount the C:\temp
directory and access the files:
5. Copy the files to your Kali and execute the following command to extract the credentials.
Defending
Recommendations
a
Detection
References
Last updated