Dump Ntds.dit To Suspicious Location
Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
Sigma rule (View on GitHub)
1title: Dump Ntds.dit To Suspicious Location
2id: 94dc4390-6b7c-4784-8ffc-335334404650
3status: test
4description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
5references:
6 - https://twitter.com/mgreen27/status/1558223256704122882
7 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/08/14
10modified: 2023/10/23
11tags:
12 - attack.execution
13logsource:
14 product: windows
15 service: application
16 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
17detection:
18 selection_root:
19 Provider_Name: 'ESENT'
20 EventID: 325 # New Database Created
21 Data|contains: 'ntds.dit'
22 selection_paths:
23 Data|contains:
24 # Add more locations that you don't use in your env or that are just suspicious
25 - ':\ntds.dit'
26 - '\Appdata\'
27 - '\Desktop\'
28 - '\Downloads\'
29 - '\Perflogs\'
30 - '\Temp\'
31 - '\Users\Public\'
32 condition: all of selection_*
33falsepositives:
34 - Legitimate backup operation/creating shadow copies
35level: medium
References
-
-
Virtualized Domain Controller Troubleshooting Article 08/31/2016 Applies To: Windows Server 2012, Windows 8 This topic provides detailed methodology on troubleshooting the virtualized domain contro...
Read More
Related rules
- MSI Installation From Suspicious Locations
- Diamond Sleet APT File Creation Indicators
- Diamond Sleet APT Process Activity Indicators
- Diamond Sleet APT Scheduled Task Creation
- Onyx Sleet APT File Creation Indicators