From df8c88f4caadc19936b3c474c4dc7871cb82a5d8 Mon Sep 17 00:00:00 2001 From: Wietze Date: Fri, 5 Nov 2021 20:32:44 +0000 Subject: [PATCH] Remaping NTDS entries to T1003.003 --- yml/OSBinaries/Diskshadow.yml | 2 +- yml/OSBinaries/Esentutl.yml | 2 +- yml/OtherMSBinaries/Ntdsutil.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index cee424c..447e5e4 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -9,7 +9,7 @@ Commands: Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit Category: Dump Privileges: User - MitreID: T1218 + MitreID: T1003.003 OperatingSystem: Windows server - Command: diskshadow> exec calc.exe Description: Execute commands using diskshadow.exe to spawn child process diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index aaea55f..b640943 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -44,7 +44,7 @@ Commands: Usecase: Copy/extract a locked file such as the AD Database Category: Copy Privileges: Admin - MitreID: T1003 + MitreID: T1003.003 OperatingSystem: Windows 10, Windows 2016 Server, Windows 2019 Server Full_Path: - Path: C:\Windows\System32\esentutl.exe diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml index 96311e5..b8eb993 100644 --- a/yml/OtherMSBinaries/Ntdsutil.yml +++ b/yml/OtherMSBinaries/Ntdsutil.yml @@ -9,7 +9,7 @@ Commands: Usecase: Dumping of Active Directory NTDS.dit database Category: Dump Privileges: Administrator - MitreID: T1003 + MitreID: T1003.003 OperatingSystem: Windows Full_Path: - Path: C:\Windows\System32\ntdsutil.exe