From cd8066209a6ac9e802af32972b079057b9405b3a Mon Sep 17 00:00:00 2001 From: Ekitji <41170494+Ekitji@users.noreply.github.com> Date: Wed, 23 Aug 2023 08:49:48 +0200 Subject: [PATCH] Delete Dsdbutil.yml --- yml/OtherMSBinaries/Dsdbutil.yml | 68 -------------------------------- 1 file changed, 68 deletions(-) delete mode 100644 yml/OtherMSBinaries/Dsdbutil.yml diff --git a/yml/OtherMSBinaries/Dsdbutil.yml b/yml/OtherMSBinaries/Dsdbutil.yml deleted file mode 100644 index 7b0a102..0000000 --- a/yml/OtherMSBinaries/Dsdbutil.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -Name: dsdbutil.exe -Description: Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory. -Aliases: - - Alias: dsDbUtil.exe # PE Original filename -Author: Ekitji -Created: 2023-05-31 -Commands: - - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit" - Description: dsdbutil supports VSS snapshot creation - Usecase: Snapshoting of Active Directory NTDS.dit database - Category: Dump - Privileges: Administrator - MitreID: T1003.003 - OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 - - Command: dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit" - Description: Mounting the snapshot with its GUID - Usecase: Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak - Category: Dump - Privileges: Administrator - MitreID: T1003.003 - OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 - - Command: dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit" - Description: Deletes the mount of the snapshot - Usecase: Deletes the snapshot - Category: Dump - Privileges: Administrator - MitreID: T1003.003 - OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 - - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit" - Description: Mounting with snapshot identifier - Usecase: Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak - Category: Dump - Privileges: Administrator - MitreID: T1003.003 - OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 - - Command: dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit" - Description: Deletes the mount of the snapshot - Usecase: deletes the snapshot - Category: Dump - Privileges: Administrator - MitreID: T1003.003 - OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019 -Full_Path: - - Path: C:\Windows\System32\dsdbutil.exe - - Path: C:\Windows\SysWOW64\dsdbutil.exe -Code_Sample: - - Code: -Detection: - - IOC: Event ID 4688 - - IOC: dsdbutil.exe process creation - - IOC: Event ID 4663 - - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit - - IOC: Event ID 4656 - - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit - - Analysis: - - Sigma: - - Elastic: - - Splunk: - - BlockRule: -Resources: - - Link: https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358 - - Link: https://www.netwrix.com/ntds_dit_security_active_directory.html -Acknowledgement: - - Person: bohop - Handle: '@bohops' - - Person: Ekitji - Handle: '@eki_erk'