Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
Sigma rule (View on GitHub)
1title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
2id: 2afafd61-6aae-4df4-baed-139fa1f4c345
3status: test
4description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
5references:
6 - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
7author: Thomas Patzke
8date: 2019-01-16
9modified: 2022-03-11
10tags:
11 - attack.credential-access
12 - attack.t1003.003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\ntdsutil.exe'
19 condition: selection
20falsepositives:
21 - NTDS maintenance
22level: medium
References
Related rules
- Active Directory Database Snapshot Via ADExplorer
- Copying Sensitive Files with Credential Data
- Create Volume Shadow Copy with Powershell
- Cred Dump Tools Dropped Files
- Esentutl Gather Credentials