Suspicious Get-ADDBAccount Usage
Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
Sigma rule (View on GitHub)
1title: Suspicious Get-ADDBAccount Usage
2id: b140afd9-474b-4072-958e-2ebb435abd68
3status: test
4description: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
5references:
6 - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
7 - https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md
8author: Florian Roth (Nextron Systems)
9date: 2022/03/16
10tags:
11 - attack.credential_access
12 - attack.t1003.003
13logsource:
14 product: windows
15 category: ps_module
16 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
17detection:
18 selection:
19 Payload|contains|all:
20 - 'Get-ADDBAccount'
21 - 'BootKey '
22 - 'DatabasePath '
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
There are two common reasons you may want to change a user’s password during a penetration test: You have their NT hash but not their plaintext password. Changing their password to a known plaintex...
Read More -
Directory Services Internals (DSInternals) PowerShell Module and Framework - MichaelGrafnetter/DSInternals
Read More
Related rules
- NTDS.DIT Creation By Uncommon Parent Process
- NTDS Exfiltration Filename Patterns
- NTDS.DIT Creation By Uncommon Process
- VolumeShadowCopy Symlink Creation Via Mklink
- Copying Sensitive Files with Credential Data