2023-08-22 18:49:07 +02:00
---
2023-05-31 16:52:51 +02:00
Name : dsdbutil.exe
2023-08-23 08:17:56 +02:00
Description : Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.
2023-08-22 18:35:43 +02:00
Aliases :
2023-08-23 08:17:56 +02:00
- Alias : dsDbUtil.exe # PE Original filename
2023-05-31 16:52:51 +02:00
Author : Ekitji
2023-08-23 08:17:56 +02:00
Created : 2023-05-31
2023-05-31 16:52:51 +02:00
Commands :
- Command : dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
Description : dsdbutil supports VSS snapshot creation
Usecase : Snapshoting of Active Directory NTDS.dit database
Category : Dump
Privileges : Administrator
2023-06-08 00:07:25 +02:00
MitreID : T1003.003
2023-08-23 08:17:56 +02:00
OperatingSystem : Windows Server 2012, Windows Server 2016, Windows Server 2019
- Command : dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"
2023-05-31 16:52:51 +02:00
Description : Mounting the snapshot with its GUID
2023-08-23 08:17:56 +02:00
Usecase : Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
2023-05-31 16:52:51 +02:00
Category : Dump
Privileges : Administrator
2023-06-08 00:07:25 +02:00
MitreID : T1003.003
2023-08-23 08:17:56 +02:00
OperatingSystem : Windows Server 2012, Windows Server 2016, Windows Server 2019
- Command : dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit"
2023-05-31 16:52:51 +02:00
Description : Deletes the mount of the snapshot
Usecase : Deletes the snapshot
Category : Dump
Privileges : Administrator
2023-06-08 00:07:25 +02:00
MitreID : T1003.003
2023-08-23 08:17:56 +02:00
OperatingSystem : Windows Server 2012, Windows Server 2016, Windows Server 2019
- Command : dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"
2023-05-31 16:52:51 +02:00
Description : Mounting with snapshot identifier
2023-08-23 08:17:56 +02:00
Usecase : Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
2023-05-31 16:52:51 +02:00
Category : Dump
Privileges : Administrator
2023-06-08 00:07:25 +02:00
MitreID : T1003.003
2023-08-23 08:17:56 +02:00
OperatingSystem : Windows Server 2012, Windows Server 2016, Windows Server 2019
- Command : dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit"
2023-05-31 16:52:51 +02:00
Description : Deletes the mount of the snapshot
Usecase : deletes the snapshot
Category : Dump
Privileges : Administrator
2023-06-08 00:02:51 +02:00
MitreID : T1003.003
2023-08-23 08:17:56 +02:00
OperatingSystem : Windows Server 2012, Windows Server 2016, Windows Server 2019
2023-05-31 16:52:51 +02:00
Full_Path :
2023-08-23 08:17:56 +02:00
- Path : C:\Windows\System32\dsdbutil.exe
- Path : C:\Windows\SysWOW64\dsdbutil.exe
2023-05-31 16:52:51 +02:00
Code_Sample :
2023-08-23 08:17:56 +02:00
- Code :
2023-05-31 16:52:51 +02:00
Detection :
- IOC : Event ID 4688
- IOC : dsdbutil.exe process creation
- IOC : Event ID 4663
- IOC : Regular and Volume Shadow Copy attempts to read or modify ntds.dit
- IOC : Event ID 4656
- IOC : Regular and Volume Shadow Copy attempts to read or modify ntds.dit
2023-08-23 08:17:56 +02:00
- Analysis :
- Sigma :
- Elastic :
- Splunk :
- BlockRule :
2023-05-31 16:52:51 +02:00
Resources :
2023-08-23 08:17:56 +02:00
- Link : https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358
- Link : https://www.netwrix.com/ntds_dit_security_active_directory.html
2023-05-31 16:52:51 +02:00
Acknowledgement :
2023-08-22 18:43:43 +02:00
- Person : bohop
2023-08-23 08:10:06 +02:00
Handle : '@bohops'
2023-08-22 18:43:43 +02:00
- Person : Ekitji
2023-08-23 08:10:06 +02:00
Handle : '@eki_erk'
