mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-11-04 02:29:34 +01:00
Update Dsdbutil.yml
This commit is contained in:
Ekitji
GitHub
@@ -1,13 +1,10 @@
|
||||
---
|
||||
Name: dsdbutil.exe
|
||||
Description: >-
|
||||
Dsdbutil is a command-line tool that is built into Windows Server. It is
|
||||
available if you have the AD LDS server role installed. Can be used as a
|
||||
command line utility to export Active Directory.
|
||||
Description: Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.
|
||||
Aliases:
|
||||
- Alias: dsDbUtil.exe
|
||||
- Alias: dsDbUtil.exe # PE Original filename
|
||||
Author: Ekitji
|
||||
Created: 2023-05-31T00:00:00.000Z
|
||||
Created: 2023-05-31
|
||||
Commands:
|
||||
- Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
|
||||
Description: dsdbutil supports VSS snapshot creation
|
||||
@@ -15,53 +12,40 @@ Commands:
|
||||
Category: Dump
|
||||
Privileges: Administrator
|
||||
MitreID: T1003.003
|
||||
OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019'
|
||||
- Command: >-
|
||||
dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit"
|
||||
"quit"
|
||||
OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
|
||||
- Command: dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"
|
||||
Description: Mounting the snapshot with its GUID
|
||||
Usecase: >-
|
||||
Mounting the snapshot to access the ntds.dit with copy c:\[Snap
|
||||
Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
|
||||
Usecase: Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
|
||||
Category: Dump
|
||||
Privileges: Administrator
|
||||
MitreID: T1003.003
|
||||
OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019'
|
||||
- Command: >-
|
||||
dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit"
|
||||
"quit"
|
||||
OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
|
||||
- Command: dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit"
|
||||
Description: Deletes the mount of the snapshot
|
||||
Usecase: Deletes the snapshot
|
||||
Category: Dump
|
||||
Privileges: Administrator
|
||||
MitreID: T1003.003
|
||||
OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019'
|
||||
- Command: >-
|
||||
dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all"
|
||||
"mount 1" "quit" "quit"
|
||||
OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
|
||||
- Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"
|
||||
Description: Mounting with snapshot identifier
|
||||
Usecase: >-
|
||||
Mounting the snapshot identifier 1 and accessing it with with copy
|
||||
c:\[Snap Volume]\windows\ntds\ntds.dit
|
||||
c:\users\administrator\desktop\ntds.dit.bak
|
||||
Usecase: Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
|
||||
Category: Dump
|
||||
Privileges: Administrator
|
||||
MitreID: T1003.003
|
||||
OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019'
|
||||
- Command: >-
|
||||
dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1"
|
||||
"quit" "quit"
|
||||
OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
|
||||
- Command: dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit"
|
||||
Description: Deletes the mount of the snapshot
|
||||
Usecase: deletes the snapshot
|
||||
Category: Dump
|
||||
Privileges: Administrator
|
||||
MitreID: T1003.003
|
||||
OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019'
|
||||
OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
|
||||
Full_Path:
|
||||
- Path: 'C:\Windows\System32\dsdbutil.exe'
|
||||
- Path: 'C:\Windows\SysWOW64\dsdbutil.exe'
|
||||
- Path: C:\Windows\System32\dsdbutil.exe
|
||||
- Path: C:\Windows\SysWOW64\dsdbutil.exe
|
||||
Code_Sample:
|
||||
- Code: null
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Event ID 4688
|
||||
- IOC: dsdbutil.exe process creation
|
||||
@@ -69,14 +53,14 @@ Detection:
|
||||
- IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit
|
||||
- IOC: Event ID 4656
|
||||
- IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit
|
||||
- Analysis: null
|
||||
- Sigma: null
|
||||
- Elastic: null
|
||||
- Splunk: null
|
||||
- BlockRule: null
|
||||
- Analysis:
|
||||
- Sigma:
|
||||
- Elastic:
|
||||
- Splunk:
|
||||
- BlockRule:
|
||||
Resources:
|
||||
- Link: 'https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358'
|
||||
- Link: 'https://www.netwrix.com/ntds_dit_security_active_directory.html'
|
||||
- Link: https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358
|
||||
- Link: https://www.netwrix.com/ntds_dit_security_active_directory.html
|
||||
Acknowledgement:
|
||||
- Person: bohop
|
||||
Handle: '@bohops'
|
||||
|
||||
Reference in New Issue
Block a user