Ntdsutil Abuse

Detects potential abuse of ntdsutil to dump ntds.dit database

Sigma rule (View on GitHub)

 1title: Ntdsutil Abuse
 2id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f
 3status: test
 4description: Detects potential abuse of ntdsutil to dump ntds.dit database
 5references:
 6    - https://twitter.com/mgreen27/status/1558223256704122882
 7    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/08/14
10tags:
11    - attack.credential_access
12    - attack.t1003.003
13logsource:
14    product: windows
15    service: application
16    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
17detection:
18    selection:
19        Provider_Name: 'ESENT'
20        EventID:
21            - 216
22            - 325
23            - 326
24            - 327
25        Data|contains: 'ntds.dit'
26    condition: selection
27falsepositives:
28    - Legitimate backup operation/creating shadow copies
29level: medium

References

Related rules

to-top