The hypothesis is that an adversary is leveraging a uncommon process to create a NTDS.DIT file, which is a critical component of Active Directory, potentially indicating a compromise of the domain controller. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential domain-level persistence or exfiltration activities.
Detection Rule
title: NTDS.DIT Creation By Uncommon Process
id: 11b1ed55-154d-4e82-8ad7-83739298f720
related:
- id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
type: similar
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
references:
- https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/
- https://adsecurity.org/?p=2398
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-11
modified: 2022-07-14
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.003
logsource:
product: windows
category: file_event
detection:
selection_ntds:
TargetFilename|endswith: '\ntds.dit'
selection_process_img:
Image|endswith:
# Add more suspicious processes as you see fit
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\wsl.exe'
- '\wt.exe'
selection_process_paths:
Image|contains:
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: selection_ntds and 1 of selection_process_*
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName endswith "\\ntds.dit" and ((TargetFilePath endswith "\\cmd.exe" or TargetFilePath endswith "\\cscript.exe" or TargetFilePath endswith "\\mshta.exe" or TargetFilePath endswith "\\powershell.exe" or TargetFilePath endswith "\\pwsh.exe" or TargetFilePath endswith "\\regsvr32.exe" or TargetFilePath endswith "\\rundll32.exe" or TargetFilePath endswith "\\wscript.exe" or TargetFilePath endswith "\\wsl.exe" or TargetFilePath endswith "\\wt.exe") or (TargetFilePath contains "\\AppData\\" or TargetFilePath contains "\\Temp\\" or TargetFilePath contains "\\Public\\" or TargetFilePath contains "\\PerfLogs\\"))Scenario: A system administrator is using PowerShell to create a temporary file named \ during a script execution for testing or debugging purposes.
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes -Command or -File and the script path contains Test or Debug.
Scenario: A scheduled task (e.g., Task Scheduler) runs a legitimate script that creates a temporary file named \ as part of a log rotation or data processing job.
Filter/Exclusion: Exclude processes with schtasks.exe or TaskScheduler in the process name, and filter by the task name or description.
Scenario: A backup tool such as Veeam Backup & Replication or Commvault creates a temporary file named \ during a backup or restore operation.
Filter/Exclusion: Exclude processes with veeam.exe, cvbackup.exe, or similar backup tool executables, and filter by the backup job name or path.
Scenario: A system update or patching tool like Windows Update or WSUS creates a temporary file named \ during the installation process.
Filter/Exclusion: Exclude processes with wuauclt.exe, wuauserv.exe, or svchost.exe associated with Windows Update services.
Scenario: A database migration tool such as SQL Server Data Tools (SSDT) or MySQL Workbench creates a temporary file named \ during a data transfer or schema export.
Filter/Exclusion: Exclude processes with sqlservr.exe, mysqld.exe, or similar database tool executables, and filter by the migration script or job name.