diff --git a/yml/OtherMSBinaries/Dsdbutil.yml b/yml/OtherMSBinaries/Dsdbutil.yml new file mode 100644 index 0000000..142edcf --- /dev/null +++ b/yml/OtherMSBinaries/Dsdbutil.yml @@ -0,0 +1,68 @@ +--- +Name: dsdbutil.exe +Description: Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory. +Aliases: + - Alias: dsDbUtil.exe # PE Original filename +Author: Ekitji +Created: 2023-05-31 +Commands: + - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit" + Description: dsdbutil supports VSS snapshot creation + Usecase: Snapshoting of Active Directory NTDS.dit database + Category: Dump + Privileges: Administrator + MitreID: T1003.003: NTDS + OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 + - Command: dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit" + Description: Mounting the snapshot with its GUID + Usecase: Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak + Category: Dump + Privileges: Administrator + MitreID: T1003.003: NTDS + OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 + - Command: dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit" + Description: Deletes the mount of the snapshot + Usecase: Deletes the snapshot + Category: Dump + Privileges: Administrator + MitreID: T1003.003: NTDS + OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 + - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit" + Description: Mounting with snapshot identifier + Usecase: Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak + Category: Dump + Privileges: Administrator + MitreID: T1003.003: NTDS + OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 + - Command: dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit" + Description: Deletes the mount of the snapshot + Usecase: deletes the snapshot + Category: Dump + Privileges: Administrator + MitreID: T1003.003: NTDS + OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 +Full_Path: + - Path: C:\Windows\System32\dsdbutil.exe + - Path: C:\Windows\SysWOW64\dsdbutil.exe +Code_Sample: + - Code: +Detection: + - IOC: Event ID 4688 + - IOC: dsdbutil.exe process creation + - IOC: Event ID 4663 + - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit + - IOC: Event ID 4656 + - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit + - Analysis: + - Sigma: + - Elastic: + - Splunk: + - BlockRule: +Resources: + - Link: https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358 + - Link: https://www.netwrix.com/ntds_dit_security_active_directory.html +Acknowledgement: + - Person: bohop + Handle: '@bohops' + - Person: Ekitji + Handle: '@eki_erk' \ No newline at end of file