public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-10-23 00:58:42 +02:00
Code Issues Projects Releases Wiki Activity

Update Dsdbutil.yml

Browse Source
This commit is contained in:
Ekitji 2023-08-23 08:17:56 +02:00 committed by GitHub
parent ddb1e02d8b
commit cd27c25410
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 24 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
yml/OtherMSBinaries/Dsdbutil.yml
View File

@ -1,13 +1,10 @@
--- ---
Name: dsdbutil.exe Name: dsdbutil.exe
Description: >- Description: Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.
Dsdbutil is a command-line tool that is built into Windows Server. It is
available if you have the AD LDS server role installed. Can be used as a
command line utility to export Active Directory.
Aliases: Aliases:
- Alias: dsDbUtil.exe - Alias: dsDbUtil.exe # PE Original filename
Author: Ekitji Author: Ekitji
Created: 2023-05-31T00:00:00.000Z Created: 2023-05-31
Commands: Commands:
- Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit" - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
Description: dsdbutil supports VSS snapshot creation Description: dsdbutil supports VSS snapshot creation
@ -15,53 +12,40 @@ Commands:
Category: Dump Category: Dump
Privileges: Administrator Privileges: Administrator
MitreID: T1003.003 MitreID: T1003.003
OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019' OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
- Command: >- - Command: dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"
dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit"
"quit"
Description: Mounting the snapshot with its GUID Description: Mounting the snapshot with its GUID
Usecase: >- Usecase: Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
Mounting the snapshot to access the ntds.dit with copy c:\[Snap
Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
Category: Dump Category: Dump
Privileges: Administrator Privileges: Administrator
MitreID: T1003.003 MitreID: T1003.003
OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019' OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
- Command: >- - Command: dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit"
dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit"
"quit"
Description: Deletes the mount of the snapshot Description: Deletes the mount of the snapshot
Usecase: Deletes the snapshot Usecase: Deletes the snapshot
Category: Dump Category: Dump
Privileges: Administrator Privileges: Administrator
MitreID: T1003.003 MitreID: T1003.003
OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019' OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
- Command: >- - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"
dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all"
"mount 1" "quit" "quit"
Description: Mounting with snapshot identifier Description: Mounting with snapshot identifier
Usecase: >- Usecase: Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
Mounting the snapshot identifier 1 and accessing it with with copy
c:\[Snap Volume]\windows\ntds\ntds.dit
c:\users\administrator\desktop\ntds.dit.bak
Category: Dump Category: Dump
Privileges: Administrator Privileges: Administrator
MitreID: T1003.003 MitreID: T1003.003
OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019' OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
- Command: >- - Command: dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit"
dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1"
"quit" "quit"
Description: Deletes the mount of the snapshot Description: Deletes the mount of the snapshot
Usecase: deletes the snapshot Usecase: deletes the snapshot
Category: Dump Category: Dump
Privileges: Administrator Privileges: Administrator
MitreID: T1003.003 MitreID: T1003.003
OperatingSystem: 'Windows Server 2012, Windows Server 2016, Windows Server 2019' OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
Full_Path: Full_Path:
- Path: 'C:\Windows\System32\dsdbutil.exe' - Path: C:\Windows\System32\dsdbutil.exe
- Path: 'C:\Windows\SysWOW64\dsdbutil.exe' - Path: C:\Windows\SysWOW64\dsdbutil.exe
Code_Sample: Code_Sample:
- Code: null - Code:
Detection: Detection:
- IOC: Event ID 4688 - IOC: Event ID 4688
- IOC: dsdbutil.exe process creation - IOC: dsdbutil.exe process creation
@ -69,14 +53,14 @@ Detection:
- IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit
- IOC: Event ID 4656 - IOC: Event ID 4656
- IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit
- Analysis: null - Analysis:
- Sigma: null - Sigma:
- Elastic: null - Elastic:
- Splunk: null - Splunk:
- BlockRule: null - BlockRule:
Resources: Resources:
- Link: 'https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358' - Link: https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358
- Link: 'https://www.netwrix.com/ntds_dit_security_active_directory.html' - Link: https://www.netwrix.com/ntds_dit_security_active_directory.html
Acknowledgement: Acknowledgement:
- Person: bohop - Person: bohop
Handle: '@bohops' Handle: '@bohops'