NTDS Exfiltration Filename Patterns
Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
Sigma rule (View on GitHub)
1title: NTDS Exfiltration Filename Patterns
2id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a
3status: test
4description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
5references:
6 - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb
7 - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
8 - https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
9author: Florian Roth (Nextron Systems)
10date: 2022-03-11
11modified: 2023-05-05
12tags:
13 - attack.credential-access
14 - attack.t1003.003
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection:
20 TargetFilename|endswith:
21 - '\All.cab' # https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
22 - '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
Metasploit Framework. Contribute to rapid7/metasploit-framework development by creating an account on GitHub.
Read More -
Metasploit Framework. Contribute to rapid7/metasploit-framework development by creating an account on GitHub.
Read More -
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More
Related rules
- Active Directory Database Snapshot Via ADExplorer
- Copying Sensitive Files with Credential Data
- Create Volume Shadow Copy with Powershell
- Cred Dump Tools Dropped Files
- Esentutl Gather Credentials