NTDSutil Pulling of NTDS.dit File

 1title: NTDSutil Pulling of NTDS.dit File
 2id: e6be4f3d-9ef7-49ff-a18e-633ae489b3e4
 3status: experimental
 4description: Detects use of the ntdsutil utility to pull ntds.dit (Active Directory database). 
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
 7    - https://adsecurity.org/?p=2398#CreateIFM
 8author: Micah Babinski
 9date: 2022/11/27
10tags:
11    - attack.credential_access
12    - attack.t1003
13    - attack.t1003.003
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\ntdsutil.exe'
20        CommandLine|contains:
21            - 'create'
22            - 'full'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high```

References

• DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector | Microsoft Security Blog

  

  In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society.

  
  Read More

• » How Attackers Dump Active Directory Database Credentials » Active Directory Security

  

  I previously posted some information on dumping AD database credentials before in a couple of posts: “How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller” and “Atta...

  
  Read More

Related rules

• Abnormal LSASS Child and Parent Process Relationships
• Abnormal LSASS Process Access and Injection