Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
Sigma rule (View on GitHub)
1title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
2id: 2afafd61-6aae-4df4-baed-139fa1f4c345
3status: test
4description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
5references:
6 - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
7author: Thomas Patzke
8date: 2019/01/16
9modified: 2022/03/11
10tags:
11 - attack.credential_access
12 - attack.t1003.003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\ntdsutil.exe'
19 condition: selection
20falsepositives:
21 - NTDS maintenance
22level: medium
References
Related rules
- Possible Impacket SecretDump Remote Activity - Zeek
- Dumping Process via Sqldumper.exe
- Suspicious SYSVOL Domain Group Policy Access
- WCE wceaux.dll Access
- Credentials In Files