Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)

Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.

Sigma rule (View on GitHub)

 1title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
 2id: a58353df-af43-4753-bad0-cd83ef35eef5
 3related:
 4    - id: 2afafd61-6aae-4df4-baed-139fa1f4c345
 5      type: derived
 6status: test
 7description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
 8references:
 9    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)
10    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-09-14
13tags:
14    - attack.credential-access
15    - attack.t1003.003
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\ntdsutil.exe'
22        - OriginalFileName: 'ntdsutil.exe'
23    selection_cli:
24        - CommandLine|contains|all:
25              - 'snapshot'
26              - 'mount ' # mounts a specific snapshot - Ex: ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit
27        - CommandLine|contains|all:
28              # This offers more coverage to the "selection_oneliner_1" case in rule 8bc64091-6875-4881-aaf9-7bd25b5dda08
29              # The shorest form of "activate" can "ac". But "act", "acti"...etc are also valid forms
30              # Same case with the "instance" flag
31              - 'ac'
32              - ' i'
33              - ' ntds'
34    condition: all of selection_*
35falsepositives:
36    - Legitimate usage to restore snapshots
37    - Legitimate admin activity
38level: medium

References

Related rules

to-top