ntdsutil.exe

ntdsutil.exe manages the Active Directory Domain Services database, the ntds.dit file that stores every object and credential in a domain. Its legitimate jobs are database maintenance: defragmentation, authoritative restore, metadata cleanup of decommissioned domain controllers, snapshot management, and creating Install From Media (IFM) sets used to stand up new domain controllers. It is installed on domain controllers and on servers running AD LDS or the AD DS management tools, not on a default client Windows. The genuine binary lives at C:\Windows\System32\ntdsutil.exe and requires an elevated prompt.

Legitimately, ntdsutil is run interactively by domain administrators during planned maintenance on a domain controller. It does not run on its own and does not belong on ordinary workstations. Its interactive sub-commands, or the arguments that drive them from a script, describe what each invocation is doing.

ntdsutil.exe is a headline tool for stealing domain credentials (T1003.003). On a domain controller, ntdsutil "activate instance ntds" "ifm" "create full C:\path" q q quietly writes a complete copy of ntds.dit along with the SYSTEM registry hive, which holds the boot key needed to decrypt it. Together those two files yield every domain account's password hash for offline cracking and follow-on attacks like golden tickets. Creating and mounting a snapshot reaches the same data by exposing ntds.dit on a mounted volume.

This is post-compromise activity that requires domain controller administrator rights, which makes it high-signal when it appears. ntdsutil running with ifm, create, or snapshot verbs, especially driven non-interactively by a cmd.exe or powershell.exe parent or a remote-execution tool, or any ntdsutil on a machine that is not a domain controller, warrants immediate investigation. Because both the binary and the operations are legitimate, the verbs and the context are what separate maintenance from theft.