Use Pass-the-Hash to exfil ntds.dit
If you have a hash for either a domain admin or a local admin on a domain controller, you can use mimikatz to exfil the entire Active Directory database. From mimikatz, run the following command to spawn a shell as…