Dump Ntds.dit To Suspicious Location

Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location

Sigma rule (View on GitHub)

 1title: Dump Ntds.dit To Suspicious Location
 2id: 94dc4390-6b7c-4784-8ffc-335334404650
 3status: test
 4description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
 5references:
 6    - https://twitter.com/mgreen27/status/1558223256704122882
 7    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/08/14
10modified: 2023/10/23
11tags:
12    - attack.execution
13logsource:
14    product: windows
15    service: application
16    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
17detection:
18    selection_root:
19        Provider_Name: 'ESENT'
20        EventID: 325 # New Database Created
21        Data|contains: 'ntds.dit'
22    selection_paths:
23        Data|contains:
24            # Add more locations that you don't use in your env or that are just suspicious
25            - ':\ntds.dit'
26            - '\Appdata\'
27            - '\Desktop\'
28            - '\Downloads\'
29            - '\Perflogs\'
30            - '\Temp\'
31            - '\Users\Public\'
32    condition: all of selection_*
33falsepositives:
34    - Legitimate backup operation/creating shadow copies
35level: medium

References

Related rules

to-top