Command line utility used to export Actove Directory.

Paths:

C:\Windows\System32\ntdsutil.exe

Detection: ntdsutil.exe with command line including “ifm”

Dump

Dump NTDS.dit into folder

ntdsutil.exe "ac i ntds" "ifm" "create full c:\" q q