From e2f217c777817d01ab6636def476782b44e314bc Mon Sep 17 00:00:00 2001
From: Tony M Lambert <tmlambert@tl-cent-laptop.localdomain>
Date: Fri, 10 Jan 2020 22:53:34 -0600
Subject: [PATCH] ntdsutil addition

---
 yml/OtherMSBinaries/Ntdsutil.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 yml/OtherMSBinaries/Ntdsutil.yml

diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml
new file mode 100644
index 0000000..52d11df
--- /dev/null
+++ b/yml/OtherMSBinaries/Ntdsutil.yml
@@ -0,0 +1,26 @@
+---
+Name: ntdsutil.exe
+Description: Command line utility used to export Actove Directory.
+Author: 'Tony Lambert'
+Created: '2020-01-10'
+Commands:
+  - Command: ntdsutil.exe “ac i ntds” “ifm” “create full c:\” q q
+    Description: Dump NTDS.dit into folder
+    Usecase: Dumping of Active Directory NTDS.dit database
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1003
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1003
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Windows\System32\ntdsutil.exe
+Code_Sample:
+  - Code:
+Detection:
+  - IOC: ntdsutil.exe with command line including "ifm"
+Resources:
+  - Link: https://adsecurity.org/?p=2398#CreateIFM
+Acknowledgement:
+  - Person: Sean Metcalf
+    Handle: '@PyroTek3'
+---