From dc3a211c899c2c5fba5ad78337542901d11cdc5f Mon Sep 17 00:00:00 2001
From: Oddvar Moe <oddvar.moe@gmail.com>
Date: Tue, 17 Mar 2020 10:55:59 +0100
Subject: [PATCH] Re-added ntdsutil

---
 yml/OtherMSBinaries/Ntdsutil.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 yml/OtherMSBinaries/Ntdsutil.yml

diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml
new file mode 100644
index 0000000..f9ae0f5
--- /dev/null
+++ b/yml/OtherMSBinaries/Ntdsutil.yml
@@ -0,0 +1,26 @@
+---
+Name: ntdsutil.exe
+Description: Command line utility used to export Actove Directory.
+Author: 'Tony Lambert'
+Created: '2020-01-10'
+Commands:
+  - Command: ntdsutil.exe "ac i ntds" "ifm" "create full c:\" q q
+    Description: Dump NTDS.dit into folder
+    Usecase: Dumping of Active Directory NTDS.dit database
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1003
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1003
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Windows\System32\ntdsutil.exe
+Code_Sample:
+  - Code:
+Detection:
+  - IOC: ntdsutil.exe with command line including "ifm"
+Resources:
+  - Link: https://adsecurity.org/?p=2398#CreateIFM
+Acknowledgement:
+  - Person: Sean Metcalf
+    Handle: '@PyroTek3'
+---
\ No newline at end of file