Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
Sigma rule (View on GitHub)
1title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
2id: a58353df-af43-4753-bad0-cd83ef35eef5
3related:
4 - id: 2afafd61-6aae-4df4-baed-139fa1f4c345
5 type: derived
6status: test
7description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
8references:
9 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)
10 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-09-14
13tags:
14 - attack.credential-access
15 - attack.t1003.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\ntdsutil.exe'
22 - OriginalFileName: 'ntdsutil.exe'
23 selection_cli:
24 - CommandLine|contains|all:
25 - 'snapshot'
26 - 'mount ' # mounts a specific snapshot - Ex: ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit
27 - CommandLine|contains|all:
28 # This offers more coverage to the "selection_oneliner_1" case in rule 8bc64091-6875-4881-aaf9-7bd25b5dda08
29 # The shorest form of "activate" can "ac". But "act", "acti"...etc are also valid forms
30 # Same case with the "instance" flag
31 - 'ac'
32 - ' i'
33 - ' ntds'
34 condition: all of selection_*
35falsepositives:
36 - Legitimate usage to restore snapshots
37 - Legitimate admin activity
38level: medium
References
-
Governments and state-owned organizations are the latest targets of a well-established threat actor.
Read More
Related rules
- Active Directory Database Snapshot Via ADExplorer
- Copying Sensitive Files with Credential Data
- Create Volume Shadow Copy with Powershell
- Cred Dump Tools Dropped Files
- Esentutl Gather Credentials