mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 14:55:19 +02:00 
			
		
		
		
	Update Dsdbutil.yml
This commit is contained in:
		| @@ -1,12 +1,13 @@ | |||||||
| --- | --- | ||||||
| Name: dsdbutil.exe | Name: dsdbutil.exe | ||||||
| Description: Dsdbutil is a command-line tool that is built into Windows Server. | Description: >- | ||||||
|   It is available if you have the AD LDS server role installed. Can be used as a |   Dsdbutil is a command-line tool that is built into Windows Server. It is | ||||||
|  |   available if you have the AD LDS server role installed. Can be used as a | ||||||
|   command line utility to export Active Directory. |   command line utility to export Active Directory. | ||||||
| Aliases: | Aliases: | ||||||
|   - Alias: dsDbUtil.exe |   - Alias: dsDbUtil.exe | ||||||
| Author: Ekitji | Author: Ekitji | ||||||
| Created: 2023-05-31 | Created: 2023-05-31T00:00:00.000Z | ||||||
| Commands: | Commands: | ||||||
|   - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit" |   - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit" | ||||||
|     Description: dsdbutil supports VSS snapshot creation |     Description: dsdbutil supports VSS snapshot creation | ||||||
| @@ -14,45 +15,51 @@ Commands: | |||||||
|     Category: Dump |     Category: Dump | ||||||
|     Privileges: Administrator |     Privileges: Administrator | ||||||
|     MitreID: T1003.003 |     MitreID: T1003.003 | ||||||
|     OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 |     OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019' | ||||||
|   - Command: dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" |   - Command: >- | ||||||
|  |       dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" | ||||||
|       "quit" |       "quit" | ||||||
|     Description: Mounting the snapshot with its GUID |     Description: Mounting the snapshot with its GUID | ||||||
|     Usecase: Mounting the snapshot to access the ntds.dit with copy c:\[Snap |     Usecase: >- | ||||||
|  |       Mounting the snapshot to access the ntds.dit with copy c:\[Snap | ||||||
|       Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak |       Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak | ||||||
|     Category: Dump |     Category: Dump | ||||||
|     Privileges: Administrator |     Privileges: Administrator | ||||||
|     MitreID: T1003.003 |     MitreID: T1003.003 | ||||||
|     OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 |     OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019' | ||||||
|   - Command: dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" |   - Command: >- | ||||||
|  |       dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" | ||||||
|       "quit" |       "quit" | ||||||
|     Description: Deletes the mount of the snapshot |     Description: Deletes the mount of the snapshot | ||||||
|     Usecase: Deletes the snapshot |     Usecase: Deletes the snapshot | ||||||
|     Category: Dump |     Category: Dump | ||||||
|     Privileges: Administrator |     Privileges: Administrator | ||||||
|     MitreID: T1003.003 |     MitreID: T1003.003 | ||||||
|     OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 |     OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019' | ||||||
|   - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" |   - Command: >- | ||||||
|  |       dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" | ||||||
|       "mount 1" "quit" "quit" |       "mount 1" "quit" "quit" | ||||||
|     Description: Mounting with snapshot identifier |     Description: Mounting with snapshot identifier | ||||||
|     Usecase: Mounting the snapshot identifier 1 and accessing it with with copy |     Usecase: >- | ||||||
|  |       Mounting the snapshot identifier 1 and accessing it with with copy | ||||||
|       c:\[Snap Volume]\windows\ntds\ntds.dit |       c:\[Snap Volume]\windows\ntds\ntds.dit | ||||||
|       c:\users\administrator\desktop\ntds.dit.bak |       c:\users\administrator\desktop\ntds.dit.bak | ||||||
|     Category: Dump |     Category: Dump | ||||||
|     Privileges: Administrator |     Privileges: Administrator | ||||||
|     MitreID: T1003.003 |     MitreID: T1003.003 | ||||||
|     OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 |     OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019' | ||||||
|   - Command: dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" |   - Command: >- | ||||||
|  |       dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" | ||||||
|       "quit" "quit" |       "quit" "quit" | ||||||
|     Description: Deletes the mount of the snapshot |     Description: Deletes the mount of the snapshot | ||||||
|     Usecase: deletes the snapshot |     Usecase: deletes the snapshot | ||||||
|     Category: Dump |     Category: Dump | ||||||
|     Privileges: Administrator |     Privileges: Administrator | ||||||
|     MitreID: T1003.003 |     MitreID: T1003.003 | ||||||
|     OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 |     OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019' | ||||||
| Full_Path: | Full_Path: | ||||||
|   - Path: C:\Windows\System32\dsdbutil.exe |   - Path: 'C:\Windows\System32\dsdbutil.exe' | ||||||
|   - Path: C:\Windows\SysWOW64\dsdbutil.exe |   - Path: 'C:\Windows\SysWOW64\dsdbutil.exe' | ||||||
| Code_Sample: | Code_Sample: | ||||||
|   - Code: null |   - Code: null | ||||||
| Detection: | Detection: | ||||||
| @@ -68,10 +75,10 @@ Detection: | |||||||
|   - Splunk: null |   - Splunk: null | ||||||
|   - BlockRule: null |   - BlockRule: null | ||||||
| Resources: | Resources: | ||||||
|   - Link: https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358 |   - Link: 'https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358' | ||||||
|   - Link: https://www.netwrix.com/ntds_dit_security_active_directory.html |   - Link: 'https://www.netwrix.com/ntds_dit_security_active_directory.html' | ||||||
| Acknowledgement: | Acknowledgement: | ||||||
|   - Person: bohop |   - Person: bohop | ||||||
|     Handle: "@bohops" |     Handle: '@bohops' | ||||||
|   - Person: Ekitji |   - Person: Ekitji | ||||||
|     Handle: "@eki_erk" |     Handle: '@eki_erk' | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user