NTDS.DIT Creation By Uncommon Process

calendar May 5, 2023 · attack.credential_access attack.t1003.002 attack.t1003.003  ·
Share on: linkedin copy

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory

Sigma rule (View on GitHub)

 1title: NTDS.DIT Creation By Uncommon Process
 2id: 11b1ed55-154d-4e82-8ad7-83739298f720
 3related:
 4    - id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
 5      type: similar
 6status: test
 7description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
 8references:
 9    - https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/
10    - https://adsecurity.org/?p=2398
11author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
12date: 2022/01/11
13modified: 2022/07/14
14tags:
15    - attack.credential_access
16    - attack.t1003.002
17    - attack.t1003.003
18logsource:
19    product: windows
20    category: file_event
21detection:
22    selection_ntds:
23        TargetFilename|endswith: '\ntds.dit'
24    selection_process_img:
25        Image|endswith:
26            # Add more suspicious processes as you see fit
27            - '\cmd.exe'
28            - '\cscript.exe'
29            - '\mshta.exe'
30            - '\powershell.exe'
31            - '\pwsh.exe'
32            - '\regsvr32.exe'
33            - '\rundll32.exe'
34            - '\wscript.exe'
35            - '\wsl.exe'
36            - '\wt.exe'
37    selection_process_paths:
38        Image|contains:
39            - '\AppData\'
40            - '\Temp\'
41            - '\Public\'
42            - '\PerfLogs\'
43    condition: selection_ntds and 1 of selection_process_*
44falsepositives:
45    - Unknown
46level: high

References

Related rules

to-top