The hypothesis is that an adversary is leveraging a non-standard parent process to create a NTDS.DIT file, potentially to exfiltrate data or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that exploit file system anomalies.
Detection Rule
title: NTDS.DIT Creation By Uncommon Parent Process
id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
related:
- id: 11b1ed55-154d-4e82-8ad7-83739298f720
type: similar
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://pentestlab.blog/tag/ntds-dit/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2023-01-05
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: file_event
definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enrich the log with additional ParentImage data'
detection:
selection_file:
TargetFilename|endswith: '\ntds.dit'
selection_process_parent:
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
ParentImage|endswith:
- '\cscript.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\w3wp.exe'
- '\wscript.exe'
selection_process_parent_path:
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
ParentImage|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: selection_file and 1 of selection_process_*
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName endswith "\\ntds.dit" and ((ActingProcessName endswith "\\cscript.exe" or ActingProcessName endswith "\\httpd.exe" or ActingProcessName endswith "\\nginx.exe" or ActingProcessName endswith "\\php-cgi.exe" or ActingProcessName endswith "\\powershell.exe" or ActingProcessName endswith "\\pwsh.exe" or ActingProcessName endswith "\\w3wp.exe" or ActingProcessName endswith "\\wscript.exe") or (ActingProcessName contains "\\apache" or ActingProcessName contains "\\tomcat" or ActingProcessName contains "\\AppData\\" or ActingProcessName contains "\\Temp\\" or ActingProcessName contains "\\Public\\" or ActingProcessName contains "\\PerfLogs\\"))Scenario: Scheduled Job Creating a Temp File
Description: A legitimate scheduled job (e.g., Task Scheduler or SQL Server Agent) creates a temporary file in the system directory as part of a routine operation.
Filter/Exclusion: Check the parent process for known job scheduling tools (e.g., schtasks.exe, sqlagent.exe) or use a filter like:
(parent_process_name = "schtasks.exe") or (parent_process_name = "sqlagent.exe")Scenario: System File Creation During Windows Update
Description: A Windows Update process (e.g., wusa.exe) may create temporary files in system directories during an update.
Filter/Exclusion: Filter by parent process name:
parent_process_name = "wusa.exe"Scenario: Admin Task Creating a DIT File for Database Backup
Description: An administrator may use a backup tool (e.g., Veeam Backup & Replication, SQL Backup Utility) to create a DIT file as part of a database backup process.
Filter/Exclusion: Check for known backup tools:
(parent_process_name = "VeeamBackup.exe") or (parent_process_name = "sqlbackup.exe")Scenario: Log File Generation by a Monitoring Tool
Description: A system monitoring tool (e.g., Splunk, ELK Stack) may generate a DIT file as part of log processing or data ingestion.
Filter/Exclusion: Filter by parent process name:
(parent_process_name = "splunkd.exe") or (parent_process_name = "logstash.exe")**Scenario: User-Initiated File Creation for