mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 14:55:19 +02:00 
			
		
		
		
	dsdbutil.exe
LOLBIN for dumping NTDS
This commit is contained in:
		
							
								
								
									
										68
									
								
								yml/OtherMSBinaries/Dsdbutil.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										68
									
								
								yml/OtherMSBinaries/Dsdbutil.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,68 @@ | ||||
| --- | ||||
| Name: dsdbutil.exe | ||||
| Description: Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.  | ||||
| Aliases:  | ||||
|   - Alias: dsDbUtil.exe  # PE Original filename | ||||
| Author: Ekitji | ||||
| Created: 2023-05-31 | ||||
| Commands: | ||||
|   - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit" | ||||
|     Description: dsdbutil supports VSS snapshot creation | ||||
|     Usecase: Snapshoting of Active Directory NTDS.dit database | ||||
|     Category: Dump | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1003.003: NTDS | ||||
|     OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 | ||||
|   - Command: dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit" | ||||
|     Description: Mounting the snapshot with its GUID | ||||
|     Usecase: Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak | ||||
|     Category: Dump | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1003.003: NTDS | ||||
|     OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 | ||||
|   - Command: dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit" | ||||
|     Description: Deletes the mount of the snapshot | ||||
|     Usecase: Deletes the snapshot | ||||
|     Category: Dump | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1003.003: NTDS | ||||
|     OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 | ||||
|   - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit" | ||||
|     Description: Mounting with snapshot identifier | ||||
|     Usecase: Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak | ||||
|     Category: Dump | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1003.003: NTDS | ||||
|     OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 | ||||
|   - Command: dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit" | ||||
|     Description: Deletes the mount of the snapshot | ||||
|     Usecase: deletes the snapshot | ||||
|     Category: Dump | ||||
|     Privileges: Administrator | ||||
|     MitreID: T1003.003: NTDS | ||||
|     OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\System32\dsdbutil.exe | ||||
|   - Path: C:\Windows\SysWOW64\dsdbutil.exe | ||||
| Code_Sample: | ||||
|   - Code: | ||||
| Detection: | ||||
|   - IOC: Event ID 4688 | ||||
|   - IOC: dsdbutil.exe process creation | ||||
|   - IOC: Event ID 4663 | ||||
|   - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit | ||||
|   - IOC: Event ID 4656 | ||||
|   - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit | ||||
|   - Analysis: | ||||
|   - Sigma:  | ||||
|   - Elastic:  | ||||
|   - Splunk:  | ||||
|   - BlockRule: | ||||
| Resources: | ||||
|   - Link: https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358 | ||||
|   - Link: https://www.netwrix.com/ntds_dit_security_active_directory.html | ||||
| Acknowledgement: | ||||
|   - Person: bohop | ||||
|     Handle: '@bohops' | ||||
|   - Person: Ekitji | ||||
|     Handle: '@eki_erk' | ||||
		Reference in New Issue
	
	Block a user