AD Dumping via Ntdsutil.exe¶

Identifies usage of ntdsutil.exe to export an Active Directory database to disk.

id:	19d59f40-12fc-11e9-8d76-4d6bb837cda4
categories:	detect
confidence:	medium
os:	windows
created:	01/07/2019
updated:	01/07/2019

MITRE ATT&CK™ Mapping¶

tactics:	Credential Access
techniques:	T1003 Credential Dumping

Query¶

file where file_name == "ntds.dit" and process_name == "ntdsutil.exe"

Detonation¶

Atomic Red Team: T1003

Contributors¶

Tony Lambert

Read the Docs v: latest

Versions: latest

Downloads: pdf; html; epub

On Read the Docs: Project Home; Builds

Free document hosting provided by Read the Docs.