NTDS.DIT Created

Aug 12, 2024 · attack.credential-access attack.t1003.003 ·

Detects creation of a file named "ntds.dit" (Active Directory Database)

Sigma rule (View on GitHub)

 1title: NTDS.DIT Created
 2id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c
 3status: test
 4description: Detects creation of a file named "ntds.dit" (Active Directory Database)
 5references:
 6    - Internal Research
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-05
 9tags:
10    - attack.credential-access
11    - attack.t1003.003
12logsource:
13    product: windows
14    category: file_event
15detection:
16    selection:
17        TargetFilename|endswith: 'ntds.dit'
18    condition: selection
19falsepositives:
20    - Unknown
21level: low

References

Internal Research

Read More

Related rules

Active Directory Database Snapshot Via ADExplorer
Copying Sensitive Files with Credential Data
Create Volume Shadow Copy with Powershell
Cred Dump Tools Dropped Files
Esentutl Gather Credentials