Files with specific naming patterns associated with NTDS exfiltration tools may indicate adversary attempts to exfiltrate sensitive domain data, making proactive hunting critical to identify and mitigate potential data breaches in Azure Sentinel. SOC teams should prioritize this behavior due to its high severity and the critical nature of NTDS data in maintaining domain control.
Detection Rule
title: NTDS Exfiltration Filename Patterns
id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a
status: test
description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
references:
- https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb
- https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
- https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2023-05-05
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\All.cab' # https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
- '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName endswith "\\All.cab" or TargetFileName endswith ".ntds.cleartext"Scenario: Scheduled Backup of NTDS.DIT File
Description: A legitimate scheduled backup job creates a file named NTDS.DIT.20231005.bak as part of routine Active Directory backups.
Filter/Exclusion: Exclude files created by the backup service (e.g., BackupExec, Veeam, or Windows Server Backup) or filter by file creation time matching known backup windows.
Scenario: Administrative Task to Export NTDS.DIT for Forensic Analysis
Description: An admin uses ntdsutil to export the NTDS.DIT file for forensic analysis or auditing purposes.
Filter/Exclusion: Exclude files created by processes associated with ntdsutil or by users with administrative privileges performing known forensic tasks.
Scenario: Log File Rotation or Archive
Description: A log management tool like LogParser or Splunk creates a file named NTDS.DIT.log as part of log rotation or archival processes.
Filter/Exclusion: Exclude files with .log extensions or filter by process names associated with log management tools.
Scenario: Temporary File Created by a Legitimate Application
Description: A legitimate application (e.g., Microsoft Identity Manager, ADSync, or PowerShell) creates a temporary file named NTDS.DIT.tmp during data processing.
Filter/Exclusion: Exclude files with .tmp extensions or filter by process names associated with known legitimate applications.
Scenario: File System Monitoring Tool Generating Reports
Description: A file system monitoring tool (e.g., Sysmon, File Integrity Monitor) generates a report named NTDS.DIT.report for audit or compliance purposes.
Filter/Exclusion: Exclude files with .report extensions or filter by process names