Detects suspicious executed commands to create a copy or restore a snapshot of the ntds.dit file using Living Of the Land BINaries (LOLBIN).
Example:
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" ntdsutil "activate instance ntds" "ifm" "create full c:\windows\temp\data" "quit" "quit" wmic process call create "ntdsutil "ac i ntds" ifm "create full C:\Windows\Temp\pro wmic process call create "cmd.exe /c ntdsutil "ac i ntds" ifm "create full C:\Windows\Temp\Pro" wmic process call create "cmd.exe /c mkdir C:\Windows\Temp\tmp & ntdsutil "ac i ntds" ifm ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit
Related
LOLBINs, Volt Typhoon activity
Reference
https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/identifying-and-mitigating-living-off-the-land-techniques
https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection
https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
https://github.com/SigmaHQ/sigma/blob/49adcf9a00247ed6c3daacba03b589470f6716d0/rules/windows/process_creation/proc_creation_win_susp_ntds.yml
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
{{ mitre("T1003.003")}}
Data Source(s): Command, Process
let selection_main = dynamic(['wmic.exe','powershell.exe','cmd.exe','ntdsutil.exe']);
let selection_command = dynamic([' create', ' ntds']);
let selection_cli_1 = dynamic(['snapshot', 'mount ']);
union isfuzzy=true
(DeviceProcessEvents
| where FolderPath has_any(selection_main) or ProcessVersionInfoOriginalFileName has_any(selection_main)
| where ProcessCommandLine has_all (selection_command) or ProcessCommandLine has_all (selection_cli_1)
),
(SecurityEvent
| where EventID == 4688
| where Process has_any(selection_main)
| where CommandLine has_all (selection_command) or CommandLine has_all (selection_cli_1)
)
- Inspect if the activity was expected and approved
- Legitimate usage to restore snapshots
- Legitimate admin activity
Version 1.0 (date 19/03/2024)