Ntdsutil Abuse

 1title: Ntdsutil Abuse
 2id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f
 3status: test
 4description: Detects potential abuse of ntdsutil to dump ntds.dit database
 5references:
 6    - https://twitter.com/mgreen27/status/1558223256704122882
 7    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/08/14
10tags:
11    - attack.credential_access
12    - attack.t1003.003
13logsource:
14    product: windows
15    service: application
16    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
17detection:
18    selection:
19        Provider_Name: 'ESENT'
20        EventID:
21            - 216
22            - 325
23            - 326
24            - 327
25        Data|contains: 'ntds.dit'
26    condition: selection
27falsepositives:
28    - Legitimate backup operation/creating shadow copies
29level: medium

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Virtualized Domain Controller Troubleshooting

  

  Virtualized Domain Controller Troubleshooting Article 08/31/2016 Applies To: Windows Server 2012, Windows 8 This topic provides detailed methodology on troubleshooting the virtualized domain contro...

  
  Read More

Related rules

• Possible Impacket SecretDump Remote Activity
• Possible Impacket Secretsdump.py Activity
• Potential Russian APT Credential Theft Activity
• Suspicious Get-ADDBAccount Usage
• NTDS.DIT Creation By Uncommon Parent Process