NTDS Exfiltration Filename Patterns

calendar May 5, 2023 · attack.credential_access attack.t1003.003  ·
Share on: linkedin copy

Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.

Sigma rule (View on GitHub)

 1title: NTDS Exfiltration Filename Patterns
 2id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a
 3status: test
 4description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
 5references:
 6    - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb
 7    - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
 8    - https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
 9author: Florian Roth (Nextron Systems)
10date: 2022/03/11
11modified: 2023/05/05
12tags:
13    - attack.credential_access
14    - attack.t1003.003
15logsource:
16    product: windows
17    category: file_event
18detection:
19    selection:
20        TargetFilename|endswith:
21            - '\All.cab' # https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
22            - '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

Related rules

to-top