Remaping NTDS entries to T1003.003

This commit is contained in:
Wietze 2021-11-05 20:32:44 +00:00
parent 8257d60aad
commit df8c88f4ca
No known key found for this signature in database
GPG Key ID: E17630129FF993CF
3 changed files with 3 additions and 3 deletions

View File

@ -9,7 +9,7 @@ Commands:
Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit Usecase: Use diskshadow to exfiltrate data from VSS such as NTDS.dit
Category: Dump Category: Dump
Privileges: User Privileges: User
MitreID: T1218 MitreID: T1003.003
OperatingSystem: Windows server OperatingSystem: Windows server
- Command: diskshadow> exec calc.exe - Command: diskshadow> exec calc.exe
Description: Execute commands using diskshadow.exe to spawn child process Description: Execute commands using diskshadow.exe to spawn child process

View File

@ -44,7 +44,7 @@ Commands:
Usecase: Copy/extract a locked file such as the AD Database Usecase: Copy/extract a locked file such as the AD Database
Category: Copy Category: Copy
Privileges: Admin Privileges: Admin
MitreID: T1003 MitreID: T1003.003
OperatingSystem: Windows 10, Windows 2016 Server, Windows 2019 Server OperatingSystem: Windows 10, Windows 2016 Server, Windows 2019 Server
Full_Path: Full_Path:
- Path: C:\Windows\System32\esentutl.exe - Path: C:\Windows\System32\esentutl.exe

View File

@ -9,7 +9,7 @@ Commands:
Usecase: Dumping of Active Directory NTDS.dit database Usecase: Dumping of Active Directory NTDS.dit database
Category: Dump Category: Dump
Privileges: Administrator Privileges: Administrator
MitreID: T1003 MitreID: T1003.003
OperatingSystem: Windows OperatingSystem: Windows
Full_Path: Full_Path:
- Path: C:\Windows\System32\ntdsutil.exe - Path: C:\Windows\System32\ntdsutil.exe