Hi,
In some AD instances I got a user shell on the DC with SeBackupPrivilege. After extracting sam and system hives with the “reg save” command, I could dump the administrator hash.
Now, trying to use this hash with EvilWinRM or psexec always resulted in authentication errors. I think I understand that this is not the domain admin hash but rather the local admin hash on the DC. Is this the same as the hash for the DC machine itself?
For some reason I could not extract the NTDS.dit file by shadowcopying the C drive to get the domain hashes in this instance. There are some other methods to get system on the DC with this user but I really want to know if I can use the hashes dumped from sam and system hives in the said way.
Thank you!