Detects creation of a file named "ntds.dit" (Active Directory Database) to suspicious location in server
Output of ntdsutil “ac i ntds” “ifm” “create full c:\temp” q q
LOLBins
Credential Access
https://github.com/SigmaHQ/sigma/blob/583f08ecaca532c7bff6e56e73c2e25c5b184796/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml
https://github.com/SigmaHQ/sigma/blob/583f08ecaca532c7bff6e56e73c2e25c5b184796/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
https://adsecurity.org/?p=2398
{{ mitre("T1003.003")}}
Data Source(s): File
let selection_paths = dynamic([@':\ntds.dit', @'\Appdata\', @'\Desktop\', @'\Downloads\', @'\Perflogs\', @'\Temp\', @'\Users\Public\']);
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath endswith @"\ntds.dit" and FolderPath has_any (selection_paths)
| where InitiatingProcessFileName <> "TiWorker.exe" //exclude Windows Modules Installer
- Verify the FolderPath, User account, and time of activities, whether it's expected
- Pentesting
- Legitimate admin activities
Version 1.0 (date: 15/03/2024)