NTDS or SAM Database File Copied

  1[metadata]
  2creation_date = "2020/11/24"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/04/22"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files.
 11Those files contain sensitive information including hashed domain and/or local credentials.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27max_signals = 33
 28name = "NTDS or SAM Database File Copied"
 29references = [
 30    "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
 31    "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy",
 32    "https://www.elastic.co/security-labs/detect-credential-access",
 33    "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry",
 34]
 35risk_score = 73
 36rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f"
 37severity = "high"
 38tags = [
 39    "Domain: Endpoint",
 40    "OS: Windows",
 41    "Use Case: Threat Detection",
 42    "Tactic: Credential Access",
 43    "Data Source: Elastic Endgame",
 44    "Data Source: Elastic Defend",
 45    "Data Source: Windows Security Event Logs",
 46    "Data Source: Microsoft Defender XDR",
 47    "Data Source: SentinelOne",
 48    "Data Source: Sysmon",
 49    "Data Source: Crowdstrike",
 50    "Resources: Investigation Guide",
 51]
 52timestamp_override = "event.ingested"
 53type = "eql"
 54
 55query = '''
 56process where host.os.type == "windows" and event.type == "start" and
 57  (
 58    ((?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") or process.name : ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE")) and
 59       process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv")
 60    ) or
 61    ((?process.pe.original_file_name : "esentutl.exe" or process.name : "esentutl.exe") and process.args : ("*/y*", "*/vss*", "*/d*"))
 62  ) and
 63  process.command_line : ("*\\ntds.dit*", "*\\config\\SAM*", "*\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*")
 64'''
 65
 66note = """## Triage and analysis
 67
 68### Investigating NTDS or SAM Database File Copied
 69
 70#### Possible investigation steps
 71
 72- What protected store did the alerting command try to copy, and where was it sent?
 73  - Focus: `process.command_line` for NTDS vs SAM, direct path vs "GLOBALROOT\\Device\\HarddiskVolumeShadowCopy" or "esentutl.exe /y /vss /d", and a local, UNC, archive, or temp-like destination.
 74  - Implication: escalate when the command copies NTDS, SAM, or a VSS-backed hive to a user-writable, remote, or archive path, and treat NTDS as domain credential exposure and SAM as local credential exposure; lower suspicion only when the exact source, destination, and copy method fit one recognized backup, repair, or authorized forensic collection. Identity alone never clears the copy.
 75
 76- If PowerShell performed the copy, what script content produced it?
 77  - Focus: if PowerShell script-block telemetry is available, recover events with `host.id` + `process.pid` in a tight alert window; reconstruct split blocks with `powershell.file.script_block_id`, `powershell.sequence`, and `powershell.total`, then read `powershell.file.script_block_text`. Missing PowerShell telemetry is unresolved, not benign.
 78  - Implication: escalate when the reconstructed script copies NTDS, SAM, or VSS paths, loops shadow copies, hides destinations, or chains archive or transfer logic; lower suspicion when script content matches the same recognized backup, repair, or forensic workflow as the alert command.
 79
 80- Is the copier the expected binary in the expected launch chain?
 81  - Focus: `process.executable`, `process.pe.original_file_name`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.parent.executable`.
 82  - Implication: escalate when the copier is renamed, unsigned or unexpectedly signed, runs from a user-writable path, or is launched by an unusual shell, script, service, or remote tool; lower suspicion when the same binary identity and parent chain match the workflow proven in the command line.
 83
 84- Does the user, privilege, and session context fit protected credential-store access?
 85  - Focus: `user.id`, `process.Ext.session_info.logon_type`, `process.Ext.token.integrity_level_name`, and `process.Ext.authentication_id`. $investigate_2
 86  - Hint: if Windows Security authentication logs are available, recover session origin by matching `process.Ext.authentication_id` to same-host `winlog.event_data.TargetLogonId`, then read `source.ip` and `winlog.event_data.AuthenticationPackageName`. Missing authentication telemetry is unresolved, not benign.
 87  - Implication: escalate when the copy runs under an unexpected admin, service, machine, remote-interactive, or high-integrity context, or when recovered origin evidence conflicts with the same backup, repair, or forensic pattern; lower suspicion only when account, session type, and origin all match that pattern.
 88
 89- Do recovered artifacts or follow-on activity show staging or transfer?
 90  - Focus: if endpoint file telemetry is available, recover file events for the copier and children; read `file.path` and `file.name`. Missing file telemetry is unresolved, not benign. $investigate_3
 91  - Hint: review child starts where `process.parent.entity_id` matches the copier, especially `process.command_line` and `process.executable`; if endpoint network telemetry is available, recover connections for the copier and children, then read `destination.ip`, `destination.port`, and `network.direction`. Missing network telemetry is unresolved, not benign. $investigate_4 $investigate_5
 92  - Implication: escalate when copied hives, "ntds.dit", SAM exports, archives, child archivers, share-copy tools, upload utilities, or outbound connections reuse the copied store or destination; absence of recovered artifacts or connections cannot close the alert by itself.
 93
 94- If local evidence is unrecognized, is this copy part of a VSS-to-archive credential-access chain?
 95  - Focus: related alerts for `user.id` showing shadow-copy creation, credential dumping, archiving, privilege escalation, lateral movement, or the same command/store pattern. $investigate_0
 96  - Hint: compare `host.id` history for the same store or destination pattern; this rule catches the copy, so earlier shadow-copy or backup-service activity changes scope. $investigate_1
 97  - Implication: broaden scope when related evidence shows shadow-copy creation before the copy or archiving/transfer after it; do not close while the current copy evidence remains unresolved.
 98
 99- Escalate on an unrecognized NTDS, SAM, or VSS copy to a staging path, abnormal copier or parent, mismatched session, recovered script/artifact/transfer evidence, or a VSS-to-archive chain; close only when source, destination, copier, session, and recovered evidence all match one backup, repair, or authorized forensic/IR pattern; preserve and escalate when evidence is mixed or incomplete.
100
101### False positive analysis
102
103- Backup, disaster-recovery, repair, and authorized forensic/IR collection can legitimately copy NTDS, SAM, or VSS-backed hives. Confirm by aligning identity (`process.executable`, `process.code_signature.subject_name`, `process.parent.executable`), intent (bounded `process.command_line` source/destination), and scope (`user.id`, `host.id`, recovered artifact destination, and recovered session origin). If organizational records are unavailable, close only when telemetry proves the same identity, command, destination, artifact, session, `user.id`, and `host.id` pattern; otherwise preserve and escalate.
104- Build exceptions only from the minimum confirmed workflow pattern: stable `process.executable` or `process.code_signature.subject_name`, `process.parent.executable`, bounded `process.command_line` source/destination, `user.id`, and `host.id`. Avoid exceptions on utility name, copied store name, or destination family alone.
105
106### Response and remediation
107
108- If confirmed benign, reverse temporary containment and document the evidence that proved the workflow: copier identity, parent chain, command source/destination, recovered artifact destination, `user.id`, `host.id`, and recovered session origin. Create an exception only after a tuning review confirms the same stable workflow pattern; do not suppress on one partial match.
109- If suspicious but unconfirmed, preserve the alert, Timeline or query results, `process.entity_id` or `process.pid` + `host.id` + alert time, `process.command_line`, `process.parent.executable`, recovered copied-store paths, archive names, destination shares, transfer destinations, and recovered session-origin evidence before containment or cleanup.
110- Apply reversible containment next: restrict the destination share, block confirmed transfer destinations, heighten monitoring for the affected `host.id` and `user.id`, or isolate the endpoint only after weighing tier-0 and production impact.
111- If malicious activity is confirmed, isolate the host or contain the account according to the evidence, then terminate the copy, archive, or transfer process only after preserving `process.entity_id`, `process.parent.entity_id`, command lines, copied-store locations, and destination indicators.
112- For confirmed NTDS copying, activate the Active Directory compromise response plan and begin credential hygiene for affected administrative tiers. For confirmed SAM copying, scope local-account and service-account exposure on the affected endpoint or server.
113- After evidence export and scoping, eradicate only copied databases or hives, archives, shadow-copy artifacts, and staging utilities identified during investigation, then remediate the privilege path or access vector that enabled the copy.
114"""
115
116setup = """## Setup
117
118This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
119
120Setup instructions: https://ela.st/install-elastic-defend
121
122### Additional data sources
123
124This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
125
126- [CrowdStrike](https://ela.st/crowdstrike-integration)
127- [Microsoft Defender XDR](https://ela.st/m365-defender)
128- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
129- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
130- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
131"""
132
133[rule.investigation_fields]
134field_names = [
135    "@timestamp",
136    "host.id",
137    "user.name",
138    "user.id",
139    "process.entity_id",
140    "process.executable",
141    "process.command_line",
142    "process.pe.original_file_name",
143    "process.parent.entity_id",
144    "process.parent.executable",
145    "process.parent.command_line",
146    "process.code_signature.subject_name",
147    "process.Ext.authentication_id",
148    "process.Ext.session_info.logon_type",
149    "process.Ext.token.integrity_level_name",
150]
151
152[[transform.investigate]]
153label = "Alerts associated with the user"
154description = ""
155providers = [
156  [
157    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
158    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
159  ]
160]
161relativeFrom = "now-48h/h"
162relativeTo = "now"
163
164[[transform.investigate]]
165label = "Alerts associated with the host"
166description = ""
167providers = [
168  [
169    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
170    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
171  ]
172]
173relativeFrom = "now-48h/h"
174relativeTo = "now"
175
176[[transform.investigate]]
177label = "Authentication events for the linked session"
178description = ""
179providers = [
180  [
181    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
182    { excluded = false, field = "winlog.event_data.TargetLogonId", queryType = "phrase", value = "{{process.Ext.authentication_id}}", valueType = "string" },
183    { excluded = false, field = "event.code", queryType = "phrase", value = "4624", valueType = "string" }
184  ]
185]
186relativeFrom = "now-48h/h"
187relativeTo = "now"
188
189[[transform.investigate]]
190label = "File activity for the alerting process and children"
191description = ""
192providers = [
193  [
194    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
195    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
196    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
197  ],
198  [
199    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
200    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
201    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
202  ]
203]
204relativeFrom = "now-1h"
205relativeTo = "now"
206
207[[transform.investigate]]
208label = "Child processes of the copier"
209description = ""
210providers = [
211  [
212    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
213    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
214    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
215  ]
216]
217relativeFrom = "now-1h"
218relativeTo = "now"
219
220[[transform.investigate]]
221label = "Network activity for the alerting process and children"
222description = ""
223providers = [
224  [
225    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
226    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
227    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
228  ],
229  [
230    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
231    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
232    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
233  ]
234]
235relativeFrom = "now-1h"
236relativeTo = "now"
237
238[[rule.threat]]
239framework = "MITRE ATT&CK"
240[[rule.threat.technique]]
241id = "T1003"
242name = "OS Credential Dumping"
243reference = "https://attack.mitre.org/techniques/T1003/"
244[[rule.threat.technique.subtechnique]]
245id = "T1003.002"
246name = "Security Account Manager"
247reference = "https://attack.mitre.org/techniques/T1003/002/"
248
249[[rule.threat.technique.subtechnique]]
250id = "T1003.003"
251name = "NTDS"
252reference = "https://attack.mitre.org/techniques/T1003/003/"
253
254[rule.threat.tactic]
255id = "TA0006"
256name = "Credential Access"
257reference = "https://attack.mitre.org/tactics/TA0006/"