AD Dumping via Ntdsutil.exe¶
Identifies usage of ntdsutil.exe to export an Active Directory database to disk.
| id: | 19d59f40-12fc-11e9-8d76-4d6bb837cda4 |
|---|---|
| categories: | detect |
| confidence: | medium |
| os: | windows |
| created: | 01/07/2019 |
| updated: | 01/07/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Credential Access |
|---|---|
| techniques: | T1003 Credential Dumping |
Query¶
file where file_name == "ntds.dit" and process_name == "ntdsutil.exe"