DSInternals
DSInternals is an open-source PowerShell and Active Directory/Directory Services tool referenced in multiple security contexts. In a joint advisory on Volt Typhoon activity targeting U.S. critical infrastructure, DSInternals is listed as a tool that could be used to obtain credential material similar to ntds.dit and registry hive theft from Windows domain controllers, alongside tools such as Secretsdump.py, Invoke-NinjaCopy, FgDump, and Metasploit. The advisory also notes that SVR actors used DSInternals to interact with Directory Services in post-compromise activity involving JetBrains TeamCity exploitation. Separately, DSInternals is specifically referenced for its Set-ADDBPrimaryGroup function, which was tested to modify a user’s Active Directory primaryGroupID; the observed result was that changing the primary group also changed or removed the user’s prior primary-group membership. Based on the provided content, DSInternals is associated with Active Directory database and Directory Services interaction, including operations relevant to credential access and AD group/primaryGroupID manipulation. The content does not provide standalone infection vectors or malware-style persistence behavior because DSInternals is described as an open-source administrative/offensive tool rather than self-propagating malware.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“SVR also used DSInternals open source tool to interact with Directory Services.”
“SVR also used DSInternals open source tool to interact with Directory Services.”
...the following tools could be used by an actor to obtain the same information: ... DSInternals (PowerShell)
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Privilege Escalation
1 techniqueDefense Impairment
1 techniqueCredential Access
2 techniquesDescription Credential extraction via DSInternals and PowerSploit modules, as well as CacheDump, FGDump, Lazagne, Mimikatz, native Microsoft debugging tools MITRE ATT&CK Techniques
"The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive... to perform password cracking [T1003.003]."
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.