dsdbutil.exe
Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.
Paths
C:\Windows\System32\dsdbutil.exeC:\Windows\SysWOW64\dsdbutil.exe
Commands
Dump
dsdbutil supports VSS snapshot creation
Use case: Snapshoting of Active Directory NTDS.dit database
Privileges: Administrator
dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"Dump
Mounting the snapshot with its GUID
Use case: Mounting the snapshot to access the ntds.dit with `copy c:\<Snap Volume>\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak`
Privileges: Administrator
dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"Dump
Deletes the mount of the snapshot
Use case: Deletes the snapshot
Privileges: Administrator
dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit"Dump
Mounting with snapshot identifier
Use case: Mounting the snapshot identifier 1 and accessing it with `copy c:\<Snap Volume>\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak`
Privileges: Administrator
dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"Dump
Deletes the mount of the snapshot
Use case: deletes the snapshot
Privileges: Administrator
dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit"Detection
- IOC: Event ID 4688
- IOC: dsdbutil.exe process creation
- IOC: Event ID 4663
- IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit
- IOC: Event ID 4656
- IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit