NTDS or SAM Database File Copied

calendar Sep 5, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Credential Access Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/24"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic", "Austin Songer"]
11description = """
12Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files.
13Those files contain sensitive information including hashed domain and/or local credentials.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19max_signals = 33
20name = "NTDS or SAM Database File Copied"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25references = [
26    "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
27    "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy",
28    "https://www.elastic.co/security-labs/detect-credential-access",
29]
30risk_score = 73
31rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f"
32severity = "high"
33tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38process where host.os.type == "windows" and event.type == "start" and
39  (
40    (process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and
41       process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv")
42    ) or
43    (process.pe.original_file_name : "esentutl.exe" and process.args : ("*/y*", "*/vss*", "*/d*"))
44  ) and
45  process.args : ("*\\ntds.dit", "*\\config\\SAM", "\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*")
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1003"
53name = "OS Credential Dumping"
54reference = "https://attack.mitre.org/techniques/T1003/"
55[[rule.threat.technique.subtechnique]]
56id = "T1003.002"
57name = "Security Account Manager"
58reference = "https://attack.mitre.org/techniques/T1003/002/"
59
60
61
62[rule.threat.tactic]
63id = "TA0006"
64name = "Credential Access"
65reference = "https://attack.mitre.org/tactics/TA0006/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

References

Related rules

to-top