AD Dumping via Ntdsutil.exe¶
Identifies usage of ntdsutil.exe
to export an Active Directory database to disk.
id: | 19d59f40-12fc-11e9-8d76-4d6bb837cda4 |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 01/07/2019 |
updated: | 01/07/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Credential Access |
---|---|
techniques: | T1003 Credential Dumping |
Query¶
file where file_name == "ntds.dit" and process_name == "ntdsutil.exe"