attack.t1003.003

Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers

NTDS.DIT Creation By Uncommon Parent Process

May 9, 2023 · attack.credential_access attack.t1003.003 ·

Share on:

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory

NTDS Exfiltration Filename Patterns

May 5, 2023 · attack.credential_access attack.t1003.003 ·

Share on:

Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.

NTDS.DIT Created

May 5, 2023 · attack.credential_access attack.t1003.003 ·

Share on:

Detects creation of a file named "ntds.dit" (Active Directory Database)

NTDS.DIT Creation By Uncommon Process

May 5, 2023 · attack.credential_access attack.t1003.002 attack.t1003.003 ·

Share on:

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory

Suspicious Active Directory Database Snapshot Via ADExplorer

Mar 15, 2023 · attack.credential_access attack.t1552.001 attack.t1003.003 ·

Share on:

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.

Active Directory Database Snapshot Via ADExplorer

Mar 14, 2023 · attack.credential_access attack.t1552.001 attack.t1003.003 ·

Share on:

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.

VolumeShadowCopy Symlink Creation Via Mklink

Mar 7, 2023 · attack.credential_access attack.t1003.002 attack.t1003.003 ·

Share on:

Shadow Copies storage symbolic link creation using operating systems utilities

Copying Sensitive Files with Credential Data

Mar 5, 2023 · attack.credential_access attack.t1003.002 attack.t1003.003 car.2013-07-001 attack.s0404 ·

Share on:

Files with well-known filenames (sensitive files with credential data) copying

Transferring Files with Credential Data via Network Shares

Feb 27, 2023 · attack.credential_access attack.t1003.002 attack.t1003.001 attack.t1003.003 ·

Share on:

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Esentutl Gather Credentials

Feb 21, 2023 · attack.credential_access attack.t1003 attack.t1003.003 ·

Share on:

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

PUA - DIT Snapshot Viewer

Feb 21, 2023 · attack.credential_access attack.t1003.003 ·

Share on:

Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.

Create Volume Shadow Copy with Powershell

Jan 27, 2023 · attack.credential_access attack.t1003.003 ·

Share on:

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

Transferring Files with Credential Data via Network Shares - Zeek

Dec 27, 2022 · attack.credential_access attack.t1003.002 attack.t1003.001 attack.t1003.003 ·

Share on:

Transferring files with well-known filenames (sensitive files with credential data) using network shares

NTDSutil Pulling of NTDS.dit File

Nov 29, 2022 · attack.credential_access attack.t1003 attack.t1003.003 ·

Share on:

Detects use of the ntdsutil utility to pull ntds.dit (Active Directory database).

Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)

Oct 28, 2022 · attack.credential_access attack.t1003.003 ·

Share on:

Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)

Possible Impacket SecretDump Remote Activity - Zeek

Oct 25, 2022 · attack.credential_access attack.t1003.002 attack.t1003.004 attack.t1003.003 ·

Share on:

Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml