diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index cee424c..447e5e4 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -9,7 +9,7 @@ Commands: Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit Category: Dump Privileges: User - MitreID: T1218 + MitreID: T1003.003 OperatingSystem: Windows server - Command: diskshadow> exec calc.exe Description: Execute commands using diskshadow.exe to spawn child process diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index aaea55f..b640943 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -44,7 +44,7 @@ Commands: Usecase: Copy/extract a locked file such as the AD Database Category: Copy Privileges: Admin - MitreID: T1003 + MitreID: T1003.003 OperatingSystem: Windows 10, Windows 2016 Server, Windows 2019 Server Full_Path: - Path: C:\Windows\System32\esentutl.exe diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml index 96311e5..b8eb993 100644 --- a/yml/OtherMSBinaries/Ntdsutil.yml +++ b/yml/OtherMSBinaries/Ntdsutil.yml @@ -9,7 +9,7 @@ Commands: Usecase: Dumping of Active Directory NTDS.dit database Category: Dump Privileges: Administrator - MitreID: T1003 + MitreID: T1003.003 OperatingSystem: Windows Full_Path: - Path: C:\Windows\System32\ntdsutil.exe