The creation of the NTDS.DIT file indicates potential unauthorized access or modification to Active Directory data, as this file is critical to directory services. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of domain controllers and sensitive directory information.
Detection Rule
title: NTDS.DIT Created
id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database)
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: 'ntds.dit'
condition: selection
falsepositives:
- Unknown
level: low
imFileEvent
| where TargetFileName endswith "ntds.dit"Scenario: A system administrator creates a file named \ during a manual configuration task or troubleshooting.
Filter/Exclusion: Exclude events where the file is created by a known admin account (e.g., Administrator, SYSTEM) or during a specific maintenance window.
Scenario: A scheduled task or service (e.g., Windows Task Scheduler, SQL Server Agent) creates a file named \ as part of a legitimate backup or log rotation process.
Filter/Exclusion: Exclude events where the file creation is associated with a known service or task (e.g., SQLAgent, TaskScheduler) or occurs within a known backup directory.
Scenario: A legitimate application or tool (e.g., PowerShell, Windows Explorer, Robocopy) creates a file named \ as part of a file system operation or script execution.
Filter/Exclusion: Exclude events where the process is associated with a trusted application or user (e.g., powershell.exe, explorer.exe) or occurs in a known script directory.
Scenario: A user or application creates a file named \ as part of a test or development environment setup.
Filter/Exclusion: Exclude events where the file is created in a test or development directory (e.g., C:\Test, D:\Dev) or by a user with a known development role.
Scenario: A system update or patching tool (e.g., Windows Update, WSUS, SCCM) creates a file named \ temporarily during an installation or configuration process.
Filter/Exclusion: Exclude events where the file creation is associated with a known patching tool or occurs during a scheduled update window.