NTDS theft | SOC Hunt Feed

Hunt Hypothesis

The NTDS theft hypothesis detects adversaries using ntdsutil.exe to exfiltrate the Active Directory database, a critical asset for maintaining domain control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence and lateral movement within the network.

KQL Query

DeviceProcessEvents
| where FileName =~ "ntdsutil.exe"
| where ProcessCommandLine has_any("full", "fu")
| where ProcessCommandLine has_any ("temp", "perflogs", "programdata")
// Exclusion
| where ProcessCommandLine !contains @"Backup"

Analytic Rule Definition

id: 2a03d94e-991b-44f7-a2b3-e12ce6fd6c57
name: NTDS theft
description: |
  Microsoft has observed compromises related to Bazacall resulting in theft of the Active Directory database using ntdsutil.exe.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Credential Access
- Exfiltration
query: |
  DeviceProcessEvents
  | where FileName =~ "ntdsutil.exe"
  | where ProcessCommandLine has_any("full", "fu")
  | where ProcessCommandLine has_any ("temp", "perflogs", "programdata")
  // Exclusion
  | where ProcessCommandLine !contains @"Backup"

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Credential Access
Tactic: Exfiltration

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Bazacall/NTDS theft.yaml)

False Positive Guidance

Scenario: Scheduled backup of the Active Directory database using ntdsutil.exe
Filter/Exclusion: Check for the presence of ntdsutil.exe in known backup scripts or scheduled tasks associated with the Microsoft Backup utility or third-party backup tools like Veeam or Acronis.
Scenario: Administrative task to recover or restore the Active Directory database using ntdsutil.exe
Filter/Exclusion: Filter events where ntdsutil.exe is executed with elevated privileges and in conjunction with ntds.dit file operations, but only if the task is documented as part of a recovery or restore process.
Scenario: Use of ntdsutil.exe by a domain administrator for forensic analysis or troubleshooting
Filter/Exclusion: Exclude processes initiated by domain administrators with a known history of performing forensic or troubleshooting tasks, and where the command line includes parameters like /db or /config for legitimate database operations.
Scenario: Automated maintenance task using ntdsutil.exe to perform database consistency checks
Filter/Exclusion: Exclude processes initiated by scheduled tasks or services with a known association with Windows Server maintenance routines, such as those running under the NT SERVICE\NTDS account.
Scenario: Use of ntdsutil.exe to perform offline defragmentation of the Active Directory database
Filter/Exclusion: Filter out instances where ntdsutil.exe is used with the /defrag parameter, typically executed by domain controllers during maintenance windows or as part of a planned defragmentation process.