Merge pull request #54 from ForensicITGuy/ntdsutil

Ntdsutil & Rasautou addition

yml/OSBinaries/Rasautou.yml

@@ -0,0 +1,27 @@
+---
+Name: Rasautou.exe
+Description: Windows Remote Access Dialer
+Author: 'Tony Lambert'
+Created: '2020-01-10'
+Commands:
+  - Command: rasautou -d powershell.dll -p powershell -a a -e e 
+    Description: Loads the target .DLL specified in -d and executes the export specified in -p. Options removed in Windows 10.
+    Usecase: Execute DLL code
+    Category: Execute
+    Privileges: User, Administrator in Windows 8
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1
+Full_Path:
+  - Path: C:\Windows\System32\rasautou.exe
+Code_Sample: 
+- Code:
+Detection:
+ - IOC: rasautou.exe command line containing -d and -p
+Resources:
+  - Link: https://github.com/fireeye/DueDLLigence
+  - Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
+Acknowledgement:
+  - Person: FireEye
+    Handle: '@FireEye'
+---

yml/OtherMSBinaries/Ntdsutil.yml

@@ -0,0 +1,26 @@
+---
+Name: ntdsutil.exe
+Description: Command line utility used to export Actove Directory.
+Author: 'Tony Lambert'
+Created: '2020-01-10'
+Commands:
+  - Command: ntdsutil.exe “ac i ntds” “ifm” “create full c:\” q q
+    Description: Dump NTDS.dit into folder
+    Usecase: Dumping of Active Directory NTDS.dit database
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1003
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1003
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Windows\System32\ntdsutil.exe
+Code_Sample:
+  - Code:
+Detection:
+  - IOC: ntdsutil.exe with command line including "ifm"
+Resources:
+  - Link: https://adsecurity.org/?p=2398#CreateIFM
+Acknowledgement:
+  - Person: Sean Metcalf
+    Handle: '@PyroTek3'
+---